From 6377509ea95571c109f15d92d778a5ce89e250c7 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Tue, 3 Aug 2021 09:25:14 +1000 Subject: [PATCH] Update the package with new safetydb and new IDE support (#253) * Update the package with new safetydb and new IDE support * Change the gradle to work around the broken intellij package * Update a bunch of deprecated API calls --- .github/actions/Dockerfile | 2 +- .github/actions/jdk.table.xml | 2 +- .github/workflows/build.yml | 4 +- Dockerfile | 2 +- HISTORY.md | 5 + build.gradle | 23 +- .../packaging/PyPackageSecurityScan.kt | 24 +- .../security/packaging/SafetyDbChecker.kt | 13 +- .../java/security/packaging/SnykChecker.kt | 18 +- .../validators/SqlInjectionInspection.kt | 4 +- src/main/resources/META-INF/plugin.xml | 7 +- src/main/resources/safety-db/insecure.json | 1255 +- .../resources/safety-db/insecure_full.json | 14311 +++++++++++++--- 13 files changed, 13588 insertions(+), 2082 deletions(-) diff --git a/.github/actions/Dockerfile b/.github/actions/Dockerfile index 22e12c70..b862e6ad 100644 --- a/.github/actions/Dockerfile +++ b/.github/actions/Dockerfile @@ -2,7 +2,7 @@ FROM anthonypjshaw/pycharm-security:latest COPY action.sh /action.sh COPY parse.py /code/parse.py COPY project.iml /code/project.iml -COPY jdk.table.xml /root/.config/JetBrains/PyCharm2020.2/jdk.table.xml +COPY jdk.table.xml /root/.config/JetBrains/PyCharm2021.2/jdk.table.xml RUN apt-get -y update && apt-get -y install python3 python3-pip python3-venv && python3 -m pip install setuptools RUN ["chmod", "+x", "/action.sh"] ENTRYPOINT ["/action.sh"] diff --git a/.github/actions/jdk.table.xml b/.github/actions/jdk.table.xml index 4db644bd..2b9856e7 100644 --- a/.github/actions/jdk.table.xml +++ b/.github/actions/jdk.table.xml @@ -12,7 +12,7 @@ - + diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e6d23a68..e5635ebc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,7 +7,7 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] - pycharm-version: ['2021.1'] + pycharm-version: ['2021.2'] runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v1 @@ -27,7 +27,7 @@ jobs: java-version: 11 - uses: eskatos/gradle-command-action@v1 with: - arguments: jacocoTestReport -PintellijPublishToken=FAKE_TOKEN -PintellijVersion=2021.1 + arguments: jacocoTestReport -PintellijPublishToken=FAKE_TOKEN -PintellijVersion=2021.2 - name: Codecov uses: codecov/codecov-action@v1.0.7 with: diff --git a/Dockerfile b/Dockerfile index d574d1c0..1be5e74b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG PYCHARM_VERSION=2021.1 +ARG PYCHARM_VERSION=2021.2 FROM ubuntu:18.04 ARG PYCHARM_VERSION RUN echo "Building PyCharm $PYCHARM_VERSION with python-security" diff --git a/HISTORY.md b/HISTORY.md index c2d9fa40..169db027 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,10 @@ # Release History +## 1.24.2 + +* Support for 2021.2 series +* Update safety db to august 2021 + ## 1.24.1 * Fix a bug raising a runtime exception (PsiInvalidElementException) diff --git a/build.gradle b/build.gradle index 3fe91031..437e6447 100644 --- a/build.gradle +++ b/build.gradle @@ -7,7 +7,7 @@ plugins { } group 'org.tonybaloney.security' -version '1.24.1' +version '1.24.2' def ktor_version = "1.6.2" def kotlin_version = "1.5.21" @@ -38,26 +38,27 @@ test { } // See https://github.com/JetBrains/gradle-intellij-plugin/ -intellij { - type 'PC' - plugins 'python-ce', 'yaml' - updateSinceUntilBuild false -} // Make the intellij version overridable on the command line to support multiple build versions.. -intellij.version = project.hasProperty('intellijVersion') ? project.getProperty('intellijVersion') : '211-EAP-SNAPSHOT' +def intellijversion = project.hasProperty('intellijVersion') ? project.getProperty('intellijVersion') : '2021.2' +intellij { + type = 'PC' + plugins = ['python-ce', 'yaml'] + updateSinceUntilBuild = false + version = intellijversion +} patchPluginXml { - changeNotes """ -

1.24.1

+ changeNotes = """ +

1.24.2

    -
  • Fix a bug raising a runtime exception (PsiInvalidElementException)
    • +
  • Support for 2021.2 IDEs
""" } publishPlugin { - token intellijPublishToken + token = intellijPublishToken // channels 'beta' } diff --git a/src/main/java/security/packaging/PyPackageSecurityScan.kt b/src/main/java/security/packaging/PyPackageSecurityScan.kt index eb48d598..02fd2d16 100644 --- a/src/main/java/security/packaging/PyPackageSecurityScan.kt +++ b/src/main/java/security/packaging/PyPackageSecurityScan.kt @@ -1,7 +1,7 @@ package security.packaging import com.google.common.collect.Sets -import com.intellij.notification.NotificationGroup +import com.intellij.notification.NotificationGroupManager import com.intellij.notification.NotificationListener import com.intellij.notification.NotificationType import com.intellij.openapi.module.ModuleManager @@ -16,7 +16,7 @@ import kotlinx.coroutines.runBlocking import security.settings.SecuritySettings object PyPackageSecurityScan { - var NOTIFICATION_GROUP = NotificationGroup.balloonGroup("Python Package Security Checker") + var NOTIFICATION_GROUP = NotificationGroupManager.getInstance().getNotificationGroup("pythonsecurity.checker") fun checkPackages(project: Project): Boolean?{ val pythonSdks = getPythonSdks(project) @@ -86,7 +86,7 @@ object PyPackageSecurityScan { private fun backendError(project: Project, message: String?){ NOTIFICATION_GROUP - .createNotification("Could not check Python packages", null, + .createNotification("Could not check Python packages", "Could not fetch API to validate records. Check your API details.\n$message", NotificationType.ERROR) .notify(project) @@ -94,7 +94,7 @@ object PyPackageSecurityScan { private fun returnError(project: Project){ NOTIFICATION_GROUP - .createNotification("Could not check Python packages", null, + .createNotification("Could not check Python packages", "Could not verify security of Python packages, unable to locate configured Python Interpreter. Please configure your interpreter.", NotificationType.INFORMATION) .notify(project) @@ -102,7 +102,7 @@ object PyPackageSecurityScan { private fun showTotalIssuesWarning(matches: Int, project: Project) { NOTIFICATION_GROUP - .createNotification("Completed checking packages", null, + .createNotification("Completed checking packages", "Found $matches potential security issues with your installed packages.", NotificationType.WARNING) .notify(project) @@ -110,19 +110,21 @@ object PyPackageSecurityScan { private fun showNoMatchesInformation(project: Project) { NOTIFICATION_GROUP - .createNotification("Completed checking packages", null, + .createNotification("Completed checking packages", "Found no known security issues with your installed packages.", NotificationType.INFORMATION) .notify(project) } private fun showFoundIssueWarning(pack: PyPackage?, issue: PackageIssue, project: Project) { - NOTIFICATION_GROUP - .createNotification("Found Security Vulnerability in $pack package", null, + val not = NOTIFICATION_GROUP + .createNotification("Found Security Vulnerability in $pack package", issue.getMessage(), - NotificationType.WARNING, - NotificationListener.URL_OPENING_LISTENER - ).notify(project) + NotificationType.WARNING + + ) + not.setListener(NotificationListener.URL_OPENING_LISTENER) + not.notify(project) } fun getPythonSdks(project: Project): Set { diff --git a/src/main/java/security/packaging/SafetyDbChecker.kt b/src/main/java/security/packaging/SafetyDbChecker.kt index 3ddf98ab..69d6665e 100644 --- a/src/main/java/security/packaging/SafetyDbChecker.kt +++ b/src/main/java/security/packaging/SafetyDbChecker.kt @@ -1,6 +1,6 @@ package security.packaging -import com.google.gson.Gson +import com.google.gson.GsonBuilder import com.google.gson.reflect.TypeToken import com.jetbrains.python.packaging.PyPackage import java.io.IOException @@ -52,6 +52,8 @@ class SafetyDbChecker : BasePackageChecker { throw PackageCheckerLoadException(io.message!!) else throw PackageCheckerLoadException("Could not load data from SafetyDB API") + }catch (io: com.google.gson.JsonSyntaxException){ + throw PackageCheckerLoadException("Could not load data from SafetyDB API, JSON file is corrupted") } } @@ -60,16 +62,17 @@ class SafetyDbChecker : BasePackageChecker { } private fun load(databaseReader: Reader, lookupReader: Reader) { + val gson = GsonBuilder().create() val recordLookupType = object : TypeToken>>() {}.type - lookup = Gson().fromJson(lookupReader, recordLookupType) + lookup = gson.fromJson(lookupReader, recordLookupType) val recordDatabaseType = object : TypeToken>>() {}.type - database = Gson().fromJson(databaseReader, recordDatabaseType) + database = gson.fromJson(databaseReader, recordDatabaseType) } override fun hasMatch(pythonPackage: PyPackage?): Boolean{ if (pythonPackage==null) return false - for (record in lookup[pythonPackage.name.toLowerCase()] ?: return false){ + for (record in lookup[pythonPackage.name.lowercase()] ?: return false){ val specs = parseVersionSpecs(record) ?: continue if (specs.all { it != null && it.matches(pythonPackage.version) }) return true @@ -80,7 +83,7 @@ class SafetyDbChecker : BasePackageChecker { override suspend fun getMatches (pythonPackage: PyPackage?): List { if (pythonPackage==null) return listOf() val records: ArrayList = ArrayList() - for (record in database[pythonPackage.name.toLowerCase()] ?: error("Package not in database")){ + for (record in database[pythonPackage.name.lowercase()] ?: error("Package not in database")){ val specs = parseVersionSpecs(record.v) ?: continue if (specs.all { it != null && it.matches(pythonPackage.version) }) records.add(SafetyDbIssue(record, pythonPackage)) diff --git a/src/main/java/security/packaging/SnykChecker.kt b/src/main/java/security/packaging/SnykChecker.kt index bbb7efe7..dcde5768 100644 --- a/src/main/java/security/packaging/SnykChecker.kt +++ b/src/main/java/security/packaging/SnykChecker.kt @@ -1,16 +1,12 @@ package security.packaging import com.jetbrains.python.packaging.PyPackage -import io.ktor.client.HttpClient -import io.ktor.client.engine.apache.Apache -import io.ktor.client.features.ServerResponseException -import io.ktor.client.features.defaultRequest -import io.ktor.client.features.json.GsonSerializer -import io.ktor.client.features.json.JsonFeature -import io.ktor.client.request.get -import io.ktor.client.request.header -import io.ktor.client.request.headers -import io.ktor.http.Url +import io.ktor.client.* +import io.ktor.client.engine.apache.* +import io.ktor.client.features.* +import io.ktor.client.features.json.* +import io.ktor.client.request.* +import io.ktor.http.* import kotlinx.coroutines.TimeoutCancellationException import java.net.SocketTimeoutException @@ -95,7 +91,7 @@ class SnykChecker (private val apiKey: String, private val orgId: String ): Base override suspend fun getMatches (pythonPackage: PyPackage?): List { if (pythonPackage==null) return listOf() val records: ArrayList = ArrayList() - val data = load(pythonPackage.name.toLowerCase(), pythonPackage.version) ?: return records + val data = load(pythonPackage.name.lowercase(), pythonPackage.version) ?: return records if (data.ok) return records if (data.issues == null) return records diff --git a/src/main/java/security/validators/SqlInjectionInspection.kt b/src/main/java/security/validators/SqlInjectionInspection.kt index 2971eb91..43cb193d 100644 --- a/src/main/java/security/validators/SqlInjectionInspection.kt +++ b/src/main/java/security/validators/SqlInjectionInspection.kt @@ -28,11 +28,11 @@ class SqlInjectionInspection : PyInspection() { fun looksLikeSql(str: String) : Boolean { // Quickly respond to double-worded SQL statements - if (certainlySqlStartingStrings.any { str.toUpperCase().startsWith(it) }) return true + if (certainlySqlStartingStrings.any { str.uppercase().startsWith(it) }) return true // SELECT must contain FROM, and UPDATE must contain SET possiblySqlCommandPairs.forEach { pair -> - if (str.toUpperCase().startsWith(pair.key) && str.toUpperCase().contains(pair.value)) + if (str.uppercase().startsWith(pair.key) && str.uppercase().contains(pair.value)) return true } return false diff --git a/src/main/resources/META-INF/plugin.xml b/src/main/resources/META-INF/plugin.xml index a8bf8fb7..1982a9be 100644 --- a/src/main/resources/META-INF/plugin.xml +++ b/src/main/resources/META-INF/plugin.xml @@ -22,7 +22,7 @@
  • Scan code in your CI/CD using Docker
    • ]]> - + @@ -69,6 +69,10 @@ + + + + @@ -77,4 +81,5 @@ + \ No newline at end of file diff --git a/src/main/resources/safety-db/insecure.json b/src/main/resources/safety-db/insecure.json index feac2020..9bd03f9e 100644 --- a/src/main/resources/safety-db/insecure.json +++ b/src/main/resources/safety-db/insecure.json @@ -1,4 +1,11 @@ { + "abracadabra": [ + "<0.0.4" + ], + "accesscontrol": [ + ">=4.0.0,<4.3.0", + ">=5.0.0,<5.2.0" + ], "acqusition": [ "<0", ">0" @@ -17,7 +24,8 @@ "<0.12.3" ], "aiida-core": [ - "<0.12.3" + "<0.12.3", + "<1.6.0" ], "aioapns": [ "<1.10" @@ -32,7 +40,8 @@ "<0.15.0" ], "aiohttp": [ - "<0.16.3" + "<0.16.3", + "<3.7.4" ], "aiohttp-auth-autz": [ "<0.2.0" @@ -49,6 +58,12 @@ "aiootp": [ "<0.10.1", "<0.11.0", + "<0.13.0", + "<0.17.0", + "<0.18.0", + "<0.18.1", + "<0.19.0", + "<0.19.3", "<0.2.0", "<0.3.0", "<0.6.0", @@ -58,6 +73,15 @@ "<0.9.1", "<0.9.2" ], + "aiosolr": [ + "<3.3.2" + ], + "airtable": [ + "<0.4.4" + ], + "ajsonrpc": [ + "<1.1.0" + ], "aldryn-django": [ "<1.8.10.1", "<1.8.18.1" @@ -68,6 +92,9 @@ "alexandra": [ "<0.4.0" ], + "algorithm-toolkit": [ + "<0.1.3beta" + ], "allennlp": [ "<0.6.1", "<0.9.0" @@ -120,8 +147,17 @@ "ansigenome": [ "<0.6.0" ], + "ansitoimg": [ + "<2021.0.1" + ], + "anymotion-sdk": [ + "<1.2.5" + ], "apache-airflow": [ - "<1.10.0" + "<1.10.0", + "<1.10.13", + ">=1.0.0a1,<1.10.15", + ">=2.0.0a1,<2.0.2" ], "apache-libcloud": [ "<0.11.1", @@ -132,6 +168,23 @@ "<8.0.0" ], "apache-superset": [ + "<0.11.0", + "<0.14.0", + "<0.19.1", + "<0.23.0", + "<0.25.0", + "<0.28.0rc5", + "<0.29.0rc8", + "<0.31.0rc1", + "<0.32.0rc1", + "<0.32.0rc2.dev2", + "<0.33.0rc1", + "<0.34.0", + "<0.35.0", + "<0.35.1", + "<0.35.2", + "<0.36.0", + "<0.37.0", "<0.37.1", "<0.9.1" ], @@ -150,7 +203,8 @@ "<0.9.2" ], "appwrite": [ - "<0.4.0" + "<0.4.0", + "<0.9.0" ], "archi": [ "<=0.2.2" @@ -158,6 +212,9 @@ "archmage": [ "<0.3.1" ], + "asciidoc": [ + "<8.6.6" + ], "asgi-csrf": [ "<0.3" ], @@ -168,16 +225,29 @@ "astropy": [ "<3.0.1" ], + "async-search-client": [ + "<0.5.1" + ], + "asyncssh": [ + "<2.5.0" + ], "att-iot-gateway": [ "<0.4.0" ], + "auditree-framework": [ + "<1.19.0" + ], "authbwc": [ "<0.1.4", "<0.3.1" ], + "auto-surprise": [ + "<0.1.7" + ], "autobahn": [ "<0.15.0", - "<0.6.4" + "<0.6.4", + "<20.12.3" ], "avocado-framework": [ "<0.17.0" @@ -226,6 +296,9 @@ "benchexec": [ "<2.2" ], + "bento-lib": [ + "<3.0.1" + ], "bepasty": [ "<0.3.0", "<0.6.0" @@ -310,6 +383,7 @@ ], "bottle": [ "<0.12.10", + "<0.12.19", ">=0.10,<0.10.12", ">=0.11,<0.11.7", ">=0.12,<0.12.6" @@ -344,7 +418,14 @@ "<4.6.0" ], "cairosvg": [ - "<1.0.21" + "<1.0.21", + "<2.5.1" + ], + "calcipy": [ + "<2021.0.2.0" + ], + "calcwave": [ + "<1.2.6" ], "callisto-core": [ "<0.27.9" @@ -355,6 +436,9 @@ "<1.0.2", "<1.4.0" ], + "cartridge-braintree": [ + "<1.2.2" + ], "cbapi": [ ">=1.3.3,<1.3.4" ], @@ -388,9 +472,15 @@ "cfstacks": [ "<0.4.4" ], + "cg": [ + "<18.11.3" + ], "chanjo-report": [ "<2.4.0" ], + "channels": [ + ">=3.0.0,<3.0.3" + ], "chaosloader": [ "<1.0.0" ], @@ -420,10 +510,16 @@ "<0.36.0" ], "chia-blockchain": [ + "<1.0b19", "<1.0beta10", "<1.0beta14", "<1.0beta8", - "<1.0beta9" + "<1.0beta9", + "<1.0rc5", + "<1.0rc6" + ], + "chiavdf": [ + "<1.0" ], "cinder": [ "<14.1.0", @@ -437,9 +533,13 @@ "circup": [ "<0.0.6" ], + "ck": [ + "<1.7.1" + ], "ckan": [ "<1.5.1", - "<1.8.1" + "<1.8.1", + "<2.6.9" ], "clam": [ "<0.9.10", @@ -451,6 +551,13 @@ "client-sdk-python": [ "<4.7.0" ], + "clipster-desktop": [ + "<0.3.0" + ], + "cliquery": [ + "<1.10.0", + "<1.9.3" + ], "cloudinary": [ "<1.0.21" ], @@ -474,18 +581,25 @@ ], "codalab": [ "<0.2.33", - "<0.5.12" + "<0.5.12", + "<0.5.33" ], "codecov": [ "<2.0.16", "<2.0.17" ], + "codeforcesapipy": [ + "<2.0.8" + ], "coinbasepro": [ "<0.1.0" ], "coincurve": [ "<8.0.0" ], + "coinstac": [ + "<5.2.1" + ], "colander": [ "<1.7.0" ], @@ -525,6 +639,13 @@ "colonyscanalyser": [ "<0.2.0" ], + "compliance-trestle": [ + "<0.15.0" + ], + "concrete-datastore": [ + "<1.22.0", + "<1.23.0" + ], "conference-scheduler-cli": [ "<=0.10.1" ], @@ -566,22 +687,35 @@ ], "cookie-manager": [ "<1.0.3", - "<1.1.0" + "<1.1.0", + "<1.2.1" ], "cookiecutter": [ "<0.1.0", "<0.3.1", "<1.1.0" ], + "coordination-network-toolkit": [ + "<1.0.2" + ], + "cortex": [ + "<0.32.0" + ], "cosmos-wfm": [ "<2.1.1" ], + "coverage": [ + "<6.0b1" + ], "coveralls": [ "<0.1.1" ], "cplay-ng": [ "<1.50" ], + "crate-docs-theme": [ + "<0.13.0" + ], "creavel": [ "<0.11.0", "<0.14.0" @@ -597,7 +731,8 @@ ], "crossbar": [ "<0.15.0", - "<0.6.4" + "<0.6.4", + "<20.12.3" ], "crypt": [ "<0", @@ -606,10 +741,15 @@ "cryptacular": [ "<1.2" ], + "crypto-candlesticks": [ + "<0.1.5" + ], "cryptography": [ "<0.9.1", "<1.0.2", "<1.5.3", + "<3.3", + "<3.3.2", "<=3.2", ">=1.9.0,<2.3" ], @@ -621,17 +761,48 @@ "cssutils": [ "<0.9.6a2" ], + "cstar": [ + "<0.5.0" + ], "cumin": [ "=1.11.17", "<1.11.19,>=1.11.0", "<1.11.22,>1.11", "<1.11.22,>1.11.21", @@ -740,7 +939,6 @@ "<2.1.10,>2.1", "<2.1.2,>=2.1", "<2.1.2,>=2.1.0", - "<2.1.5,>=2.1.4", "<2.1.6,>=2.1.0", "<2.2.3,>2.2", "==1.11.14", @@ -752,21 +950,26 @@ "==1.11.9", "==1.8.14", "==2.0.7", - "==2.0.9", "==2.1.10", "==2.1.14", "==2.1.8", - "==2.1.9", "==2.2.1", - "==2.2.10", + "==2.2.17", + "==2.2.18", "==2.2.2", + "==2.2.23", "==2.2.3", "==2.2.7", "==2.2.8", "==2.2.9", "==3.0", + "==3.0.11", + "==3.0.12", "==3.0.2", - "==3.0.3", + "==3.1.11", + "==3.1.5", + "==3.1.6", + "==3.2.3", ">=1.1,<1.1.1", ">=1.10,<1.10.3", ">=1.10,<1.10.7", @@ -780,6 +983,7 @@ ">=1.11.8,<1.11.10", ">=1.11a1,<1.11.11", ">=1.11a1,<1.11.15", + ">=1.11a1,<1.11.18", ">=1.2,<1.2.4", ">=1.2,<1.2.5", ">=1.3,<1.3.1", @@ -818,6 +1022,8 @@ ">=1.9,<1.9.3", ">=1.9,<1.9.8", ">=1.9,<1.9rc2", + ">=2.0.0a1,<2.2.24", + ">=2.0a1,<2.0.10", ">=2.0a1,<2.0.11", ">=2.0a1,<2.0.2", ">=2.0a1,<2.0.3", @@ -826,16 +1032,34 @@ ">=2.1,<2.1.15", ">=2.1,<2.1.9", ">=2.1.0,<2.1.11", + ">=2.1a1,<2.1.5", ">=2.2,<2.2.10", + ">=2.2,<2.2.18", ">=2.2,<2.2.2", + ">=2.2,<2.2.21", ">=2.2,<2.2.8", ">=2.2.0,<2.2.11", ">=2.2.0,<2.2.4", + ">=2.2.0a1,<2.2.24", ">=2.2a1,<2.2.13", + ">=2.2a1,<2.2.20", + ">=2.2a1,<2.2.22", + ">=3.0,<3.0.12", ">=3.0,<3.0.3", ">=3.0.0,<3.0.4", + ">=3.0.0a1,<3.1.12", ">=3.0a1,<3.0.1", - ">=3.0a1,<3.0.7" + ">=3.0a1,<3.0.14", + ">=3.0a1,<3.0.7", + ">=3.1,<3.1.13", + ">=3.1,<3.1.6", + ">=3.1a1,<3.1.10", + ">=3.1a1,<3.1.8", + ">=3.1a1,<3.1.9", + ">=3.2,<3.2.1", + ">=3.2,<3.2.5", + ">=3.2.0a1,<3.2.4", + ">=3.2a1,<3.2.2" ], "django-access-tokens": [ "<0.9.2" @@ -885,6 +1109,7 @@ ], "django-ca": [ "<1.10.0", + "<1.17.0", "<1.9.0" ], "django-celery-results": [ @@ -931,6 +1156,11 @@ "django-dajaxice-ng": [ "<0.1.7" ], + "django-debug-toolbar": [ + "<1.11.1", + ">2,<2.2.1", + ">3,<3.2.1" + ], "django-discord-bind": [ "<0.2.0" ], @@ -1003,6 +1233,12 @@ "django-jet": [ "<1.0.4" ], + "django-jet-reboot": [ + "<1.0.4" + ], + "django-jinja-knockout": [ + "<0.9.0" + ], "django-js-reverse": [ "<0.9.1" ], @@ -1059,6 +1295,9 @@ "django-nopassword": [ "<5.0.0" ], + "django-oauth-toolkit": [ + "<0.8.0" + ], "django-orghierarchy": [ "<0.1.13", "<0.1.18" @@ -1082,11 +1321,15 @@ "<0.9.5", "<0.9.8" ], + "django-qiyu-token": [ + "<0.1.2" + ], "django-rated": [ "<1.1.2" ], "django-registration": [ - "<1.7" + "<1.7", + "<3.1.2" ], "django-registration-redux": [ "<1.7" @@ -1132,7 +1375,11 @@ "django-social-auth3": [ "<0.7.2" ], + "django-sql-dashboard": [ + "<0.14" + ], "django-sql-explorer": [ + "<0.5", "<1.1.0" ], "django-sticky-uploads": [ @@ -1196,7 +1443,8 @@ "<1.5" ], "djangosaml2": [ - "<0.17.2" + "<0.17.2", + "<1.0.1" ], "djblets": [ "<0.8.3", @@ -1219,9 +1467,18 @@ "<1.4.0", "<2.0.0" ], + "dnsimple": [ + "<2.1.2" + ], "docassemble": [ "<0.3.35", - "<0.5.105" + "<0.5.105", + "<1.0.12", + "<1.1.113", + "<1.2.65" + ], + "doccano": [ + "<1.0.3" ], "docker": [ "<3.5.1" @@ -1232,6 +1489,9 @@ "dogtag-pki": [ "<=10.8.3" ], + "domonic": [ + "<0.2.17" + ], "donfig": [ "==0.3.0" ], @@ -1241,6 +1501,12 @@ "dplib": [ "<1.4" ], + "dpymenus": [ + "<2.1.5" + ], + "draft-kings": [ + "<2.0.3" + ], "drf-api-logger": [ "<=0.0.7" ], @@ -1262,6 +1528,9 @@ "dulwich": [ "<0.9.920150320" ], + "dynamo-release": [ + "<0.99" + ], "easy-install": [ "<0.7" ], @@ -1278,6 +1547,9 @@ "edx-ecommerce-worker": [ "==0.8.2" ], + "egon": [ + "<0.4.1" + ], "eh": [ "<0.2.8", "<1.3.0" @@ -1288,22 +1560,41 @@ "electrumx": [ "<1.4.1" ], + "elyra": [ + "<2.2.3", + "<2.3.0b0" + ], "emcache": [ "<1.3.6" ], "emitter-io": [ "<2.704" ], + "emrt.necd.content": [ + "<2.0.15" + ], + "encapsia-api": [ + "<0.2.9" + ], "engineio-client": [ "<3.1.2", "<3.1.4" ], + "envyconfig": [ + "<1.1.4" + ], "epsagon": [ "<1.5.0" ], + "epyk": [ + "<1.5.6" + ], "errbot": [ "<1.3.0" ], + "ert-storage": [ + "<0.1.8" + ], "espeakng": [ "<1.49.0", "<1.50" @@ -1331,17 +1622,37 @@ ], "euphorie": [ "<11.1.2", + "<11.7.1", "<6.1" ], "eve-alpha": [ "<0.0.7" ], + "event-scheduler": [ + "<0.1.2" + ], "event-tracking": [ "<0.2.9" ], + "eventlet": [ + "<0.31.0" + ], "eventmq": [ "<0.3.13rc1" ], + "exgrex-py": [ + "<0.3a2" + ], + "exgrex-pytest": [ + "<0.1a2" + ], + "exoskeleton": [ + "<1.2.1", + "<1.2.5" + ], + "experimaestro": [ + "<0.7.11" + ], "extensiveautomation-server": [ "<12.1.0", "<13.0.0", @@ -1354,6 +1665,12 @@ "faker": [ "<0.1" ], + "fangfrisch": [ + "<1.4.0" + ], + "faraday-agent-dispatcher": [ + "<1.2.1" + ], "fast-curator": [ "<0.2.2" ], @@ -1361,10 +1678,17 @@ "<0.18.0", "<0.30.0", "<0.37.0", - "<0.60.2" + "<0.60.2", + "<0.65.1", + "<0.65.2" ], "fastapi-login": [ - "<1.4.0" + "<1.4.0", + "<1.6.0", + "<1.6.1" + ], + "fastapi-restful": [ + "<0.3.1" ], "fastecdsa": [ "<2.1.5" @@ -1372,9 +1696,15 @@ "featureserver": [ "<1.06" ], + "fedcloudclient": [ + "<1.1.0" + ], "fedmsg": [ "<0.18.2" ], + "fedn": [ + "<0.2.3" + ], "fedora": [ "<0.3.10", "<0.3.34" @@ -1387,6 +1717,9 @@ "<5.0.1", "<5.1.2" ], + "fiduswriter": [ + "<3.9.24" + ], "fincity-django-allauth": [ "<0.18.0", "<0.28.0", @@ -1396,6 +1729,9 @@ "<0.36.0", "<0.38.0" ], + "firepyer": [ + "<0.0.2" + ], "flambe": [ "<0.4.16" ], @@ -1413,6 +1749,9 @@ "<1.5.3", "<=1.5.2" ], + "flask-api-tools": [ + "<1.6.2" + ], "flask-appbuilder": [ "<0.2.0", "<0.7.8", @@ -1420,11 +1759,15 @@ "<1.9.2", "<1.9.3", "<2.2.2", - "<2.2.4" + "<2.2.4", + "<=3.2.3" ], "flask-async": [ "<0.6.1" ], + "flask-caching": [ + "<=1.10.1" + ], "flask-cors": [ "<3.0.9" ], @@ -1458,9 +1801,16 @@ "flask-oidc": [ "<0.1.2" ], + "flask-pyoidc": [ + "<3.7.0" + ], "flask-security-fork": [ "<1.8.1" ], + "flask-security-too": [ + ">0.0.1a1", + ">=3.3.0rc1,<3.4.5" + ], "flask-sieve": [ "<1.0.4", "<1.1.0" @@ -1471,9 +1821,29 @@ "flask-statsdclient": [ "<2.0.2" ], + "flask-unchained": [ + "<0.9.0" + ], + "flask-user": [ + "<=1.0.2.2" + ], + "flatplan": [ + "<1.2.0" + ], "flex": [ "<6.12.0" ], + "flora-blockchain": [ + "<1.0b10", + "<1.0b8", + "<1.0b9", + "<1.0rc5", + "<1.0rc6", + "<1.1.3" + ], + "fnapy": [ + "<1.1.7" + ], "foolscap": [ "<0.7.0" ], @@ -1516,18 +1886,30 @@ "ftw.permissionmanager": [ "<2.2.2" ], + "funcx": [ + "<0.2.0" + ], "fundnsf": [ "<0.0.32" ], "futoin-cid": [ "<0.8.5" ], + "galaxy-importer": [ + "<0.2.15" + ], "gandi.cli": [ "<0.10" ], "gdal": [ "<3.1.0" ], + "gds-django-jet": [ + "<1.0.4" + ], + "genbadge": [ + "<1.0.0" + ], "genshi": [ "<0.6.1" ], @@ -1542,8 +1924,11 @@ "<2.10.3", "<2.8.1" ], + "geonode-oauth-toolkit": [ + "<0.8.0" + ], "gerapy": [ - ">=0,<0.9.3" + "<0.9.3" ], "getmail": [ "<3.2.5", @@ -1555,6 +1940,10 @@ "geventhttpclient": [ "<1.2.0" ], + "gino-quart": [ + "<0.1.1b2", + "<0.1.1b4" + ], "giosgapps-bindings": [ "<0.0.19" ], @@ -1562,9 +1951,19 @@ "<2.2.0", "<2.5.0" ], + "git-portfolio": [ + "<0.10.1" + ], "gitlab-languages": [ "<1.4.1" ], + "gitlabform": [ + "<2.0.5" + ], + "glances": [ + "<3.2.0", + "<3.2.1" + ], "glovo-api-python": [ "<2.0.0" ], @@ -1576,12 +1975,18 @@ "==0.3.5", "==0.3.6" ], + "gocept.month": [ + "<2.2" + ], "goharbor": [ "<1.1.0" ], "google-appengine": [ "<1.5.4" ], + "google-images-search": [ + "<1.3.8" + ], "gordo-components": [ "<0.15.1" ], @@ -1594,6 +1999,9 @@ "grafana-dashboard-builder": [ "<0.6.0a1" ], + "graphite-web": [ + "<1.1.8" + ], "graphrepo": [ "<0.1.8" ], @@ -1605,11 +2013,30 @@ ], "guillotina": [ "<4.5.8", - "<6.0.0b3" + "<6.0.0b3", + "<6.2.3" + ], + "guillotina-dynamictablestorage": [ + "<1.1.0" + ], + "gunicorn": [ + "<19.10.0", + "<19.4.0", + ">=20.0.0,<20.0.1" ], "gvar": [ "<9.2.1" ], + "handprint": [ + "<1.5.0" + ], + "hardline": [ + "<0.12", + "<0.13" + ], + "hashers": [ + "<0.2.11" + ], "heedy": [ "<0.3.0a1" ], @@ -1619,6 +2046,9 @@ "hhpy": [ "<0.1.8" ], + "hivemind": [ + "<0.9.5" + ], "holocron": [ "<0.2.0" ], @@ -1627,15 +2057,24 @@ ">=0.56,<0.73.2", ">=0.98,<0.98.5" ], + "horizon": [ + "<15.3.2", + ">=16.0.0.0b1,<16.2.1", + ">=17.0,<18.3.3" + ], "hotaru": [ "<3.2.4" ], + "hover": [ + "<=0.4.0" + ], "hpack": [ "<1.2.0", "<2.3.0" ], "hpim-dm": [ - "<1.0" + "<1.0", + "<1.4" ], "html5": [ "<0.99999999" @@ -1652,6 +2091,7 @@ ], "httplib2": [ "<0.18.0", + "<0.19.0", "<=0.9.2" ], "httprunner": [ @@ -1664,6 +2104,15 @@ "httpsig-cffi": [ "<1.0.0" ], + "httpx-gssapi": [ + "<0.6" + ], + "hub": [ + "<0.9.0" + ], + "hubitatmaker": [ + "<0.5.4" + ], "hug": [ "<2.3.0" ], @@ -1671,6 +2120,9 @@ "<0.9.5", "<1.3" ], + "hxl-proxy": [ + "<1.22" + ], "hydroshare": [ "<1.9.5", "<1.9.6" @@ -1678,9 +2130,15 @@ "hyper-kube-config": [ "<0.6.1" ], + "hypothesis": [ + "<3.69.8" + ], "ib-client": [ "<0.1.2" ], + "idchecker": [ + "<1.1.1" + ], "im": [ "<1.5.0" ], @@ -1690,6 +2148,10 @@ "indico": [ "<2.0.2", "<2.2.8", + "<2.3.4", + "<2.3.5", + "<3.0", + "<3.0rc1", ">=2.0.0,<2.0.3", ">=2.1.0,<2.1.10", ">=2.1.0,<2.1.11", @@ -1697,6 +2159,9 @@ ">=2.2.0,<2.2.3", ">=2.2.0,<2.2.4" ], + "influx-prompt": [ + "<1.0.1" + ], "infracheck": [ "<1.7.rc2" ], @@ -1707,9 +2172,7 @@ "<2.3.1" ], "instana": [ - "<1.20.2", - "<1.36.1", - "<1.37.1" + "<1.20.2" ], "intelmq": [ "<=2.1.1" @@ -1734,12 +2197,18 @@ "invenio-app": [ "<1.1.1" ], + "invenio-app-ils": [ + "<1.0.0a28" + ], "invenio-records": [ "<1.0.2" ], "invenio-search": [ "<0.1.3" ], + "iotedgehubdev": [ + "<0.14.5" + ], "ipsilon": [ ">=0.1.0,<1.0.1" ], @@ -1753,6 +2222,9 @@ "irc3": [ "<0.4.4" ], + "iroin-python-pptx": [ + "<0.6.12" + ], "ironic-discoverd": [ "<2.3.0" ], @@ -1777,6 +2249,11 @@ "<0.6", "<0.7" ], + "jake": [ + "<0.2.59", + "<0.2.69", + "<0.2.70" + ], "jarbas-utils": [ "<0.5.1" ], @@ -1799,13 +2276,14 @@ "<2.7.3" ], "jinja2": [ + "<2.11.3", "<2.7.2", "<2.7.3" ], "jnitrace": [ "<1.0.6", "<2.2.1", - "<3.0.5" + ">=3.0.0,<3.0.5" ], "jose": [ "<0.3.0" @@ -1813,6 +2291,13 @@ "js-videojs": [ "<4.12.5" ], + "jsoneditor": [ + "<2.2.2", + "<9.0.2" + ], + "jsonpickle": [ + "<=1.4.1" + ], "jsonrpc-pyclient": [ "<0.7.0" ], @@ -1827,11 +2312,24 @@ ], "jupyter-server": [ "<0.2.0", - "<1.0.6" + "<1.0.6", + "<1.1.0" ], "jupyterhub": [ "<=0.2" ], + "jupyterhub-systemdspawner": [ + "<0.15" + ], + "jupyterlab": [ + "<3.0.8", + "<3.1.0", + "<3.1.0b2" + ], + "jupytext": [ + "<1.10.3", + "<1.11.3" + ], "jw.util": [ "<2.3" ], @@ -1872,6 +2370,9 @@ "<3.0.0", "<3.3.0" ], + "keplergl": [ + "<2.4.0" + ], "keyring": [ "<0.10", "<0.9.1", @@ -1891,7 +2392,8 @@ ">=2.0,<2.3.3" ], "khoros": [ - "<2.2.0" + "<2.2.0", + "<3.5.0" ], "khorosjx": [ "<2.3.1", @@ -1961,9 +2463,6 @@ "lambda-tools": [ "<0.1.2" ], - "lambda-warmer-py": [ - "<1.2.0" - ], "lambdajson": [ "<0.1.5" ], @@ -1982,15 +2481,23 @@ "launchdarkly-server-sdk": [ "<6.12.2" ], + "launchkey": [ + "<3.9.1" + ], "layeredimage": [ - "<2020.6.4" + "<2020.6.4", + "<2021.2.1" ], "ldap3": [ "<0.9.5.4", "<2.4" ], "lemur": [ - "<0.1.5" + "<0.1.5", + "<0.9.0" + ], + "libhxl": [ + "<4.21.3" ], "libtaxii": [ "<1.1.105" @@ -2000,6 +2507,9 @@ "<1.6.3", "<1.7.6" ], + "line-item-manager": [ + "<0.2.2" + ], "lithops": [ "<1.0.1", "<1.0.19" @@ -2030,7 +2540,8 @@ "<3.3.5", "<4.4.0", "<4.6.1", - "<4.6.2" + "<4.6.2", + "<4.6.3" ], "mackup": [ "<0.8.28" @@ -2067,7 +2578,8 @@ "<1.0.1.14", "<1.0.1.15", "<2.3.5", - "<=2.3.8" + "<=2.3.8", + ">=1.0.1.18,<2.4.0" ], "marshmallow": [ "<2.15.1", @@ -2085,9 +2597,21 @@ "martypy": [ "<1.2" ], + "masz": [ + "<1.8.1" + ], + "matrix-registration": [ + "<0.7.1" + ], "matrix-sydent": [ "<1.0.2" ], + "matrix-synapse": [ + "<1.33.2" + ], + "matrixctl": [ + "<0.10.0" + ], "matthisk-httpsig": [ "<1.0.0" ], @@ -2140,6 +2664,16 @@ "<1.6a1", "<1.6a2" ], + "mikado": [ + "<2.1.0" + ], + "mindspore": [ + "<0.5.0b", + "<0.5.0beta", + "<0.6.0b", + "<0.7.0b", + "<1.0.0" + ], "mini-amf": [ "<0.8" ], @@ -2166,6 +2700,9 @@ "<0.8.1", "==0.7.4" ], + "mitiq": [ + "<0.4.0" + ], "mitmproxy": [ "<0.17", "<4.0.3", @@ -2179,7 +2716,8 @@ "<0.0.2" ], "mkdocs-material": [ - "<1.0.0" + "<1.0.0", + "<7.0.6" ], "mkdocs-table-reader-plugin": [ "<0.2" @@ -2187,6 +2725,12 @@ "mlalchemy": [ "<0.2.2" ], + "mlf-core": [ + "<1.10.0" + ], + "mockintosh": [ + "<0.4" + ], "mockup": [ "<2.1.3" ], @@ -2213,13 +2757,22 @@ "mosql": [ "<0.10" ], + "mpxj": [ + "<5.0.0", + "<8.1.4", + "<8.3.5" + ], "mpymodcore": [ "<0.0.12", "<0.0.9", "<=0.0.14", "<=0.0.15", "<=0.0.17", - "<=0.0.18" + "<=0.0.18", + "<=0.0.19" + ], + "mqtt-io": [ + "<0.5.2" ], "mr.migrator": [ "<1.2" @@ -2230,6 +2783,9 @@ "mss": [ "<2.0.18" ], + "msticpy": [ + "<1.1.0" + ], "mtga": [ "<2.0.0beta" ], @@ -2238,7 +2794,8 @@ "<1.0.6" ], "muffnn": [ - "<2.3.1" + "<2.3.1", + "<2.3.2" ], "murano-dashboard": [ "<1.0.3", @@ -2257,6 +2814,12 @@ "<2.0.4", "<=8.0.13" ], + "naas": [ + "<1.5.22" + ], + "naas-drivers": [ + "<0.66.7" + ], "nanopb": [ "<0.2.8", "<0.2.9.1", @@ -2270,12 +2833,30 @@ "nba-scraper": [ "<0.2.7" ], + "nbgrader": [ + "<0.6.0" + ], + "nbsafety": [ + "<0.0.69" + ], + "ncbimeta": [ + "<0.8.0" + ], "nearbeach": [ "<0.22.1" ], + "nemo": [ + "<2.3.3", + "<3.6.0", + "<3.8.0", + "<3.9.2" + ], "neo-python": [ "<0.7.8" ], + "nepse-api": [ + "<0.3" + ], "netdumplings": [ "<0.4.0" ], @@ -2291,7 +2872,10 @@ "neutron": [ ">=11.0,<11.0.7", ">=12.0,<12.0.6", - ">=13.0,<13.0.3" + ">=13.0,<13.0.3", + ">=15.3.0a1,<15.3.3", + ">=16.3.0a1,<16.3.1", + ">=17.1.0a1,<17.1.1" ], "newrelic": [ ">=1.1.0.192,<=2.106.0.87" @@ -2308,6 +2892,25 @@ "nifcloud": [ "<0.1.7" ], + "nkocr": [ + "<2.0.0", + "<2.0.1" + ], + "nni": [ + "<2.1" + ], + "nobinobi-child": [ + "<0.1.3.6", + "<0.1.3.7" + ], + "nobinobi-core": [ + "<0.1.4.1" + ], + "nobinobi-daily-follow-up": [ + "<0.1.1.11", + "<0.1.1.12", + "<0.1.1.9" + ], "noiseprotocol": [ "<0.2.1" ], @@ -2320,7 +2923,15 @@ ], "notebook": [ "<4.0.5", - ">=4.0,<4.0.5" + "<5.4.1", + "<5.7.3", + "<5.7.6", + "<5.7.8", + "<6.0", + "<6.0.2", + "<6.1.5", + ">=4.0,<4.0.5", + ">=4.0.0a1,<4.2.2" ], "notifications-python-client": [ "<4.7.1" @@ -2336,6 +2947,9 @@ ">=20.0.0.0rc1,<20.1.0", ">=20.0.0.0rc1,<20.3.1" ], + "nox-poetry": [ + "<0.8.2" + ], "nrel-rex": [ "<0.2.16" ], @@ -2344,6 +2958,9 @@ "<0.8.0", "<0.9.1" ], + "nuitka": [ + "<0.6.12" + ], "nukikata": [ "<1.4.0" ], @@ -2377,9 +2994,14 @@ "oci": [ "<2.0.2", "<2.1.3", - "<2.10.0" + "<2.10.0", + "<2.24.1", + "<2.37.0" ], "oci-cli": [ + "<2.22.1", + "<2.24.0", + "<2.24.4", "<2.4.10", "<2.4.40", "<2.5.9", @@ -2394,6 +3016,19 @@ "oe-geoutils": [ "<1.5.2" ], + "oic": [ + "<1.2.1" + ], + "omero-web": [ + "<5.9.0" + ], + "omnizart": [ + "<0.3.3" + ], + "onefuzz": [ + "<2.5.0", + "<2.7.0" + ], "onegov.form": [ "<0.16.1" ], @@ -2446,6 +3081,10 @@ "opentaxii": [ "<0.1.11" ], + "openvino": [ + "<2020.3.1", + "<2021.2" + ], "optimade": [ "<0.7.0" ], @@ -2455,6 +3094,9 @@ "ores": [ "<1.3.1" ], + "ormar": [ + "<0.10.9" + ], "osc": [ "<0.123", "<0.134", @@ -2475,6 +3117,10 @@ "owlmixin": [ "<2.0.0a12" ], + "pact-python": [ + "<1.3.6", + "<1.3.7" + ], "pakettikauppa": [ "<0.1.2" ], @@ -2492,6 +3138,9 @@ "<0.39", "<0.42" ], + "pangres": [ + "<2.1" + ], "panoptes-utils": [ "<0.2.21" ], @@ -2520,6 +3169,9 @@ "pathfinder": [ "<0.5.4" ], + "payton": [ + "<0.1.4" + ], "pconf": [ "<1.3.3" ], @@ -2530,6 +3182,7 @@ "<0.0.2" ], "pdfreader": [ + "<0.1.6", "<0.1.6.dev1" ], "pdkit": [ @@ -2548,19 +3201,39 @@ "<0.5.6", "<0.8.0" ], + "pfun": [ + "<0.12.0" + ], "phileo": [ "<0.3" ], + "phoenix-letter": [ + "<0.2.0" + ], + "phonenumbers": [ + "<8.3.1" + ], + "pi-mqtt-gpio": [ + "<0.5.2" + ], + "pib-cli": [ + "<0.0.9" + ], "piccolo": [ + "<0.13.1", "<0.2", "<0.9.1" ], "piccolo-admin": [ + "<0.13.1", "<0.9.1" ], "pigar": [ "<0.9.1" ], + "pikepdf": [ + ">=1.3.0,<=2.9.2" + ], "pillow": [ "<2.3.1", "<2.3.2", @@ -2576,7 +3249,13 @@ "<6.2.2", "<6.2.3", "<7.0.0", + "<8.0.1", + "<8.1.0", + "<8.1.1", + "<8.1.2", + "<8.2.0", "<=7.0.0", + "<=8.2.0", ">6.0,<6.2.2", ">=7.0.0,<7.0.1" ], @@ -2601,6 +3280,7 @@ "<1.4", "<1.5", "<19.2", + "<21.1", "<6.0", "<6.1.0" ], @@ -2629,10 +3309,15 @@ "<4.2", "<4.2.3", "<4.3", + "<4.3.18", "<4.3b1", "<5.2.2", "<5.2.2rc1", + "<5.2.3", + "<5.2.4", + "<=5.2.4", "==3.3.5,==3.3.4,==3.3.3,==3.3.2", + "==5.2.3", ">4,<4.2a2", ">4,<=4.3.11", ">4,<=4.3.15", @@ -2650,6 +3335,7 @@ ">=4.3,<=5.2.1", ">=5.0,<5.1rc1", ">=5.0,<=5.2.1", + ">=5.0.0,<=5.2.4", ">=5.2.0,<=5.2.1" ], "plone-app-contentmenu": [ @@ -2716,6 +3402,9 @@ "plone.openid": [ "<2.0.2" ], + "plone.portlet.static": [ + "<1.2" + ], "plone.recipe.varnish": [ "<6.0.0b1" ], @@ -2751,6 +3440,17 @@ "podder-task-base": [ "<0.4.0" ], + "podman": [ + "<0.11.1", + "<0.12.1.1", + "<3.0.0" + ], + "podman-py": [ + "<0.11.1", + "<0.12.1.1", + "<1.9.0rc2", + "<3.0.0" + ], "pokedex.py": [ "<1.1.2" ], @@ -2764,6 +3464,9 @@ "<0.5.5", "<0.6.0" ], + "polyswarm-client": [ + "<2.11.7" + ], "poorwsgi": [ "<1.0.2" ], @@ -2772,6 +3475,9 @@ "<2.8.0rc6", ">=2.6,<2.7.3" ], + "portray": [ + "<1.6.0" + ], "postfix-mta-sts-resolver": [ "<0.6.1" ], @@ -2785,6 +3491,13 @@ "priority": [ "<1.2.0" ], + "prisma-cloud-pipeline": [ + "<0.1.3" + ], + "privacyidea": [ + "<3.4.1", + "<3.6" + ], "products-cmfcore": [ "<2.1.0beta2" ], @@ -2815,6 +3528,9 @@ "products.dcworkflow": [ "<2.1.0beta2" ], + "products.genericsetup": [ + "<2.1.1" + ], "products.ldapuserfolder": [ "<2.19", "==2.9" @@ -2825,28 +3541,61 @@ "products.plonepas": [ ">3.2.2,<3.9" ], + "products.pluggableauthservice": [ + "<2.6.0", + "<2.6.2", + "<2.6.3" + ], "products.poi": [ "<2.2.3" ], + "projen": [ + "<0.3.10", + "<0.7.0", + "<0.8.0", + "<0.9.0" + ], "psd-tools": [ "<1.8.31", ">=1.8.37,<=1.9.3" ], + "psiz": [ + "<0.4.1" + ], "psutil": [ "<=5.6.5" ], "ptah": [ "<0.3.3" ], + "puccini": [ + "<0.3" + ], + "pulpcore": [ + "<3.11.0" + ], "pulumi-kubernetes": [ "<2.6.0" ], "puput": [ "<1.0.4" ], + "pupyl": [ + "<0.10.4", + "<0.10.5", + "<0.10.6", + "<0.11.1" + ], + "purdy": [ + "<1.8.0" + ], "pure": [ "<1.5.2" ], + "pushradar": [ + "<3.0.0a2", + "<3.0.0alpha.2" + ], "pwd": [ "<0", ">0" @@ -2854,6 +3603,12 @@ "pwman3": [ "<0.4.0" ], + "pwntools": [ + "<4.3.1" + ], + "py": [ + "<=1.9.0" + ], "py-bcrypt": [ "<0.3" ], @@ -2872,6 +3627,9 @@ "py-hiverunner": [ "<5.0.0" ], + "py-mon": [ + "<1.18.7" + ], "py-ms": [ "<1.0.1" ], @@ -2886,6 +3644,9 @@ "py-rate": [ "<0.3.0" ], + "py-steamcmd-wrapper": [ + "<1.0.6" + ], "py3web": [ "<0.21" ], @@ -2907,6 +3668,9 @@ "pybible-cli": [ "<1.1.2" ], + "pyca": [ + "<3.3" + ], "pycapnp": [ "<0.5.5" ], @@ -2928,6 +3692,9 @@ "<0.2.0", "<0.4.5" ], + "pycrtsh": [ + "<0.3.4" + ], "pycryptex": [ "<0.5.0" ], @@ -2945,6 +3712,11 @@ "pydal": [ "<15.02.27" ], + "pydantic": [ + ">=1.6.0a1,<1.6.2", + ">=1.7.0a1,<1.7.4", + ">=1.8.0a1,<1.8.2" + ], "pydotz": [ "<1.2.0" ], @@ -2962,10 +3734,20 @@ "<0.5.1", "<0.5.2" ], + "pygopherd": [ + "<0.9.0" + ], "pygresql": [ "<4.0" ], + "pyhanko": [ + "<0.3.0" + ], + "pyhf": [ + "<0.6.2" + ], "pyinaturalist": [ + "<0.7", "<0.7.0" ], "pyinstaller": [ @@ -2988,7 +3770,8 @@ "<2.0.0pre05" ], "pylint": [ - "<2.5.0" + "<2.5.0", + "<2.7.0" ], "pylivetrader": [ "<0.2.0" @@ -3000,6 +3783,9 @@ "<1.0.1rc1", "<1.0.2" ], + "pyloot": [ + "<0.0.6" + ], "pymemcache": [ "<1.3.6" ], @@ -3025,6 +3811,9 @@ "pyoes": [ "<0.9.0" ], + "pyomo": [ + "<5.7.2" + ], "pyopenssl": [ "<0.13.1", "<17.5.0" @@ -3046,6 +3835,13 @@ "<0.6.2", "<0.7.0" ], + "pypostalcode": [ + "<0.3.5", + "<0.3.6" + ], + "pyqlib": [ + ">=0.0.0" + ], "pyrad": [ "<0.6" ], @@ -3086,6 +3882,7 @@ "pysaml2": [ "<4.4.0", "<5.0.0", + "<6.5.0", "<=4.4.0" ], "pysandbox": [ @@ -3106,6 +3903,18 @@ "pyspf": [ "<2.0.1" ], + "pysstv": [ + "<0.5" + ], + "pytablewriter": [ + "<0.47.0" + ], + "pytask": [ + "<0.0.7" + ], + "pytask-latex": [ + "<0.0.7" + ], "pytest-aoc": [ "<1.2a6" ], @@ -3136,17 +3945,26 @@ "<2.5.6c1", "<2.6.8", "<2.7.12", + "<3.6.13", + "<3.8.9", + "<3.9.5", ">=2.6,<2.6.7", ">=2.6,<3.3", ">=2.7,<2.7.2", ">=2.7,<2.7.3", ">=3.0,<3.1.5", ">=3.0,<3.4.5", + ">=3.0.0,<=3.9.1", ">=3.1,<3.1.5", ">=3.1,<3.4", + ">=3.10.0,<3.10.0a7", ">=3.2,<3.2.1", ">=3.2,<3.2.3", - ">=3.5,<3.5.2" + ">=3.5,<3.5.2", + ">=3.7.0,<3.7.10", + ">=3.8.0,<3.8.8", + ">=3.9.0,<3.9.2", + ">=3.9.0,<3.9.3" ], "python-augeas": [ "<1.0.0" @@ -3190,7 +4008,8 @@ ">=2.0,<2.3.3" ], "python-libnmap": [ - "<0.6.3" + "<0.6.3", + "<0.7.2" ], "python-libtorrent": [ "<1.0.6" @@ -3218,7 +4037,8 @@ "python-saml": [ "<2.1.6", "<2.1.9", - "<2.4.0" + "<2.4.0", + "<2.5.0" ], "python-secrets": [ "<0.9.1", @@ -3242,7 +4062,8 @@ "<1.1.4", "<1.2.0", "<1.2.6", - "<1.4.0" + "<1.4.0", + "<1.5.0" ], "pytorch-lightning": [ "<0.9.0" @@ -3271,7 +4092,9 @@ "<0.14.3", "<0.17.0", "<1.0.0", - "<1.0.0b1" + "<1.0.0b1", + "<1.2.0", + "<1.2.0.dev1" ], "pywbemtools": [ "<0.6.0" @@ -3281,7 +4104,8 @@ "<0.1.9pre" ], "pywikibot": [ - "<3.0.20181203" + "<3.0.20181203", + "<6.1.0" ], "pywren-ibm-cloud": [ "<1.0.1", @@ -3296,6 +4120,7 @@ "pyyaml": [ "<4", "<5.3.1", + "<5.4", ">=5.1,<=5.1.2" ], "qi-jabberhelpdesk": [ @@ -3304,9 +4129,16 @@ "qi.jabberhelpdesk": [ "<0.30" ], + "qlib": [ + ">=0.0.0" + ], "quandl-fund-xlsx": [ "<0.2.1" ], + "quart": [ + "<0.4.0", + "<0.5.0" + ], "quilt": [ "<2.9.14" ], @@ -3323,6 +4155,7 @@ "<1.0.3", "<1.1.2", "<1.11.1", + "<1.14.1", "<1.3.0", "<1.3.3", "<1.4.0", @@ -3351,8 +4184,12 @@ "ramlwrap": [ "<2.2.2" ], + "rapidtide": [ + "<2.0.2" + ], "rasa": [ - "<1.10.0" + "<1.10.0", + "<2.1.0" ], "rasa-sdk": [ "<1.10.0" @@ -3367,6 +4204,9 @@ "rchitect": [ "<0.3.28" ], + "rdflib": [ + "<4.0" + ], "rdiff-backup": [ "<0.5.0", "<0.9.3", @@ -3379,6 +4219,9 @@ "recurly": [ "<=2.6.2" ], + "refitt": [ + "<0.16.5" + ], "remme": [ "<0.2.1alpha", "<0.5.0-alpha" @@ -3396,7 +4239,8 @@ "<2.0.2" ], "reportlab": [ - "<=3.5.26" + "<=3.5.26", + ">=0.0" ], "requests": [ "<2.3.0", @@ -3435,6 +4279,12 @@ "river-admin": [ "<0.5.2" ], + "rmapy": [ + "<0.2.4" + ], + "rnalysis": [ + "<1.3.6" + ], "robotraconteur": [ "<0.9.0" ], @@ -3486,6 +4336,9 @@ "rtv": [ "<1.12.1" ], + "rubicon-ml": [ + "<0.2.6" + ], "ruffruffs": [ "<2.6.0" ], @@ -3501,12 +4354,19 @@ "sagemaker-containers": [ "<2.8.2" ], + "sagemaker-pytorch-inference": [ + "<1.4.1" + ], "salt": [ "<3000.4", "<3001.1", + "<=3002", ">=3001,<3001.2", ">=3002,<3002.1" ], + "salted": [ + "<0.5.4" + ], "sanic-oauthlib": [ "<0.5.0", "<0.9.1" @@ -3533,6 +4393,9 @@ "scons": [ "<4.0.0" ], + "scrape": [ + "<0.10.2" + ], "scrapydd": [ "<0.6.3" ], @@ -3565,13 +4428,28 @@ "<0.13.0" ], "seldon-core": [ - "<0.5.1" + "<0.2.4", + "<0.3.0", + "<0.4.0", + "<0.4.2", + "<0.5.1", + "<1.0.0", + "<1.0.2", + "<1.2.0", + "<1.6.0" + ], + "selenium-support": [ + "<0.0.1" ], "selenium-wire": [ "<1.2.1" ], + "semversioner": [ + "<0.13.0" + ], "sentry": [ "<0.12.2", + "<5.7.0", "<6.1.1", "<7.4.0", "<7.5.5", @@ -3616,21 +4494,43 @@ "<0.6.5", "<0.9.3" ], + "shuup": [ + "<2.11.0" + ], + "simple-swagger": [ + "<0.1.0" + ], "simplemonitor": [ "<2.7" ], + "simplesockets": [ + "<0.1.0" + ], "simulaqron": [ "<3.0.7" ], + "skill-sdk": [ + "<0.10.5" + ], "slackeventsapi": [ "<2.1.0" ], + "sleap": [ + "<1.0.10a4", + "<1.0.10a5" + ], + "smbprotocol": [ + "<1.4.0" + ], "smeagol": [ "<0.1.0" ], "smqtk": [ "<0.11.0" ], + "smtpdfix": [ + "<0.2.9" + ], "snakemake": [ "<5.28.0" ], @@ -3663,12 +4563,18 @@ "sparselandtools": [ "<1.0.1" ], + "sparsify": [ + "<0.1.1" + ], "sphinx": [ "<3.0.4" ], "sphinx-paragraph-extractor": [ "<1.0.4" ], + "sphinx-wagtail-theme": [ + "<4.3.0" + ], "spintest": [ "<0.2.0" ], @@ -3679,6 +4585,12 @@ "splunk-sdk": [ "<1.6.6" ], + "spotdl": [ + "<3.6.0" + ], + "spotify-gender-ex": [ + "<2.4.0" + ], "spud": [ "<0.8" ], @@ -3705,9 +4617,16 @@ "ssh-decorate": [ ">=0.28,<=0.31" ], + "ssh-mitm": [ + "<0.3.11", + "<0.3.12" + ], "sslyze": [ "<3.0.2" ], + "st2client": [ + "<3.4.1" + ], "starcluster": [ "<0.95.3" ], @@ -3752,7 +4671,11 @@ "<=0.4" ], "suds-community": [ - "<0.7.0" + "<0.7.0", + ">=0.4.1,<0.7.0" + ], + "superdesk-planning": [ + "<2.0.2" ], "superset": [ "<0.11.0a", @@ -3779,12 +4702,18 @@ "svglib": [ "<=0.9.3" ], + "svmbir": [ + "<0.2.3" + ], "swauth": [ "<1.1.0" ], "swift": [ "<2.6.0", - ">=1.0.2,<2.15.2" + "<=2.10.1", + "==2.14.0", + ">=1.0.2,<2.15.2", + ">=2.11.0,<=2.13.0" ], "swifter": [ "<0.292" @@ -3793,6 +4722,17 @@ "<0.2.3", "<0.2.3.a1" ], + "synapse": [ + "<1.25.0", + "<1.27.0", + "<1.28.0" + ], + "synapse-downloader": [ + "<0.0.5" + ], + "synology-api": [ + "<0.2.1" + ], "synse": [ "<2.1.2", "<2.2.4", @@ -3807,13 +4747,26 @@ "<1.8.3", "<1.9.1" ], + "tapestry": [ + "<1.1.0" + ], + "tapipy": [ + "<0.3.10" + ], "taskcluster": [ - "<24.1.3" + "<24.1.3", + "<43.1.0" ], "tbats": [ "<1.0.7", "<1.0.8" ], + "td-ameritrade-python-api": [ + "<0.3.2" + ], + "telegram-stats-bot": [ + "<0.3.1" + ], "telemeta": [ "<1.4.31" ], @@ -3836,6 +4789,8 @@ "<12.2", "<12.3.1", "<12.3.2", + "<12.4.13", + "<12.4.8", "<7.4.0" ], "teneto": [ @@ -3844,28 +4799,64 @@ "tensorflow": [ "<1.10.0", "<1.12.2", + "<1.15", "<1.15.0", "<1.15.3", + "<1.15.5", + "<1.6.0a1", + "<1.7.0", + "<1.7.0a1", + "<1.7.1", + "<2.4.0", + "<=1.7", ">=1.0,<1.15.2", ">=1.0.0,<1.15.2", ">=1.15.0rc0,<1.15.4", + ">=2.0.0,<2.0.4", + ">=2.0.0,<2.1.0", ">=2.0.0a0,<2.0.1", ">=2.0.0a0,<2.0.2", ">=2.0.0a0,<2.0.3", + ">=2.0.0a0,<2.0.4", + ">=2.0.0rc0, <2.0.1", + ">=2.1.0,<2.1.1", + ">=2.1.0,<2.1.3", ">=2.1.0rc0,<2.1.2", + ">=2.1.0rc0,<2.1.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0,<2.2.2", ">=2.2.0rc0,<2.2.1", + ">=2.2.0rc0,<2.2.2", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0,<2.3.2", ">=2.3.0rc0,<2.3.1", - ">=2.4.0rc0,<2.4.0" + ">=2.3.0rc0,<2.3.2", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.0", + ">=2.4.0rc0,<2.4.2", + ">=2.4.0rc0,<=2.4.0rc4", + ">=2.5.0rc0,<2.5.0" ], "tensorflow-directml": [ "<1.10.0", "<1.12.2", + "<1.12.3", "<1.15.2", - "<1.15.3" + "<1.15.3", + "<1.15.4", + "<1.15.5", + ">=1.15.0,<1.15.5" ], "tensorpy": [ "<1.5.0" ], + "termius": [ + "<1.2.13", + "<1.2.15" + ], + "tern": [ + "<2.5.0" + ], "textract": [ "<1.5.0" ], @@ -3874,9 +4865,18 @@ "<0.5.1", "<0.5.6" ], + "tg": [ + "<0.1.3" + ], "thamos": [ "<0.1.0" ], + "thefuck": [ + "<3.31" + ], + "thinc": [ + "<8.0.4" + ], "thorn": [ "<1.1.0" ], @@ -3889,6 +4889,12 @@ "tiddlyweb": [ "<1.2.18" ], + "time-series-metadata": [ + "<0.1.1" + ], + "timetagger": [ + "<21.3.3" + ], "tink": [ "<1.4.0" ], @@ -3898,15 +4904,25 @@ "tinydb": [ "<2.0.0" ], + "tksvg": [ + "<0.6" + ], "tlslite": [ "<0.4.9" ], + "tlslite-ng": [ + "<0.7.6", + ">=0.8.0-alpha1,<0.8.0-alpha39" + ], "tmc": [ "<0.3.5" ], "tmt": [ "<0.19" ], + "toggl-to-sqlite": [ + "<0.3.1" + ], "tomtoolkit": [ "<1.6.1", "<1.6.1alpha.1" @@ -3924,6 +4940,9 @@ "tracauthopenid": [ "<0.4.4" ], + "transformers": [ + "<4.5.0" + ], "trash-cli": [ "<0.17.1.14" ], @@ -3954,6 +4973,28 @@ "<0.11.1", "<0.12.dev0" ], + "tutor": [ + "<10.0.5", + "<10.1.0", + "<10.2.0", + "<10.5.3", + "<11.0.1", + "<11.0.6", + "<11.0.7", + "<11.1.1", + "<11.1.3", + "<11.1.4", + "<11.1.5", + "<11.2.10", + "<11.2.2", + "<11.2.7", + "<3.12.3", + "<3.3.5", + "<3.5.2", + "<3.6.0", + "<3.6.3", + "<3.9.0" + ], "tweepy": [ "<3.0" ], @@ -3963,9 +5004,13 @@ "twine": [ "<2.0.0" ], + "twirp": [ + "<5.5.1" + ], "twisted": [ "<16.4.0", "<17.1.0", + "<19.10.0", "<19.2.0", "<19.2.1", "<19.7.0", @@ -3984,6 +5029,9 @@ "typesense": [ "<0.13.0" ], + "uciparse": [ + "<0.1.9" + ], "udata": [ "<1.6.16", "<2.0.2" @@ -3991,6 +5039,9 @@ "ugoira": [ "<0.5.0" ], + "uiautomator2": [ + "<2.13.2" + ], "unicef-locations": [ "<1.4.2" ], @@ -4017,7 +5068,8 @@ "<=1.24.1", "==1.17", "==1.18", - ">=1.25.2,<=1.25.7" + ">=1.25.2,<=1.25.7", + ">=1.26.0,<1.26.4" ], "uvicorn": [ "<0.11.7" @@ -4036,6 +5088,9 @@ "<0.4.9", "<0.5.0" ], + "vineyard": [ + "<0.1.2" + ], "vips-hash": [ "<0.2.0" ], @@ -4045,11 +5100,15 @@ "virustotal-python": [ "<0.0.3", "<0.0.8", - "<0.0.9" + "<0.0.9", + "<0.1.2" ], "visidata": [ "<2.-2" ], + "vmsshgen": [ + "<1.0.0" + ], "vnccollab-theme": [ "<1.5.2" ], @@ -4060,9 +5119,14 @@ "<0.6.21" ], "wagtail": [ + "<2.11.8", "<2.7.2", "<2.7.3", "<2.7.4", + ">=2.11a1,<2.11.7", + ">=2.12a1,<2.12.4", + ">=2.12rc1,<=2.12.4", + ">=2.13rc1,<=2.13.1", ">=2.7.0,<2.7.4", ">=2.8,<2.8.1", ">=2.8.0,<2.8.2", @@ -4085,9 +5149,15 @@ "<0.8.0", "<0.8.2" ], + "warfit-learn": [ + "<0.2" + ], "wasmer": [ "<0.2.1" ], + "wasmtime": [ + "<0.27.0" + ], "watchmaker": [ "<0.14.0" ], @@ -4103,6 +5173,8 @@ "web3": [ "<1.2.7", "<1.3.1", + "<1.3.3", + "<1.3.4", "<4.7.0" ], "webargs": [ @@ -4110,15 +5182,23 @@ ">=5.0,<=5.5.2", ">=6.0.0b1,<=6.0.0b4" ], + "webauthn-rp": [ + "<0.0.10" + ], + "webchanges": [ + "<3.7.0" + ], "webp": [ "<0.1.2" ], "webscrapbook": [ "<0.20.0", - "<0.27.0" + "<0.27.0", + "<0.39.0" ], "websockets": [ - "<5.0,>=4.0.0" + "<5.0,>=4.0.0", + "<9.1" ], "werkzeug": [ "<0.11.11", @@ -4131,12 +5211,24 @@ "<0.8.3", ">=0.15.0,<0.15.5" ], + "whispers": [ + "<1.3.9" + ], "whitenoise": [ "<4.1.3" ], + "wikirepo": [ + "<0.1.1.5" + ], "will": [ "<0.5.4" ], + "wiperf-poller": [ + "<0.1.8" + ], + "wirecloud-keycloak": [ + "<0.3.4" + ], "wirepas-backend-client": [ "<1.2.0rc2" ], @@ -4160,6 +5252,16 @@ "xontrib-output-search": [ "<0.0.2" ], + "xpra": [ + "<0.0.7.34", + "<0.1.0", + "<0.13.9", + "<0.15.8", + "<2.3" + ], + "xscrapers": [ + "<127.0.0.150077" + ], "xtea3": [ "<1.0.0" ], @@ -4194,6 +5296,9 @@ "zhmcclient": [ "<0.21.0" ], + "zigpy-znp": [ + "<0.3.0" + ], "ziirish": [ "<0.0.7.1", "<0.1.0", @@ -4206,14 +5311,21 @@ ">=3.9,<3.9.0c2" ], "zope": [ + "<2.13.1", "<2.13.19", + "<2.5.1", "<3.9.0", + "<4.6.0", ">=2.10,<2.10.11", ">=2.11,<2.11.6", ">=2.12,<2.12.3", ">=2.8,<2.8.12", ">=2.9,<2.9.12", - ">=3.1.1,<=3.4.1" + ">=3.1.1,<=3.4.1", + ">=4.0.0a1,<4.6.1", + ">=5.0.0,<5.3.0", + ">=5.0.0a1,<5.21.0", + ">=5.0a1,<5.2" ], "zope.html": [ "<1.2" @@ -4252,7 +5364,8 @@ "<2.1.3" ], "zulip-term": [ - "<0.5.2" + "<0.5.2", + "<0.6.0" ], "zwiki": [ "<0.37", diff --git a/src/main/resources/safety-db/insecure_full.json b/src/main/resources/safety-db/insecure_full.json index c07dd05b..7a03acd5 100644 --- a/src/main/resources/safety-db/insecure_full.json +++ b/src/main/resources/safety-db/insecure_full.json @@ -1,8 +1,31 @@ { + "abracadabra": [ + { + "advisory": "Abracadabra 0.0.4 updates the notebook dependency to address a security vulnerability.", + "cve": "PVE-2021-39264", + "id": "pyup.io-39264", + "specs": [ + "<0.0.4" + ], + "v": "<0.0.4" + } + ], + "accesscontrol": [ + { + "advisory": "The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict access to Python modules and only exempt a few that are deemed safe, such as Python's `string` module. However, full access to the `string` module also allows access to the class `Formatter`, which can be overridden and extended within `Script (Python)` in a way that provides access to other unsafe Python libraries. Those unsafe Python libraries can be used for remote code execution. By default, you need to have the admin-level Zope \"Manager\" role to add or edit `Script (Python)` objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk. The problem has been fixed in AccessControl 4.3 and 5.2. Only AccessControl versions 4 and 5 are vulnerable, and only on Python 3, not Python 2.7. As a workaround, a site administrator can restrict adding/editing `Script (Python)` objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.", + "cve": "CVE-2021-32807", + "id": "pyup.io-41049", + "specs": [ + ">=4.0.0,<4.3.0", + ">=5.0.0,<5.2.0" + ], + "v": ">=4.0.0,<4.3.0,>=5.0.0,<5.2.0" + } + ], "acqusition": [ { "advisory": "acqusition is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34978", "id": "pyup.io-34978", "specs": [ ">0", @@ -25,7 +48,7 @@ "aethos": [ { "advisory": "Aethos 0.3.0.1 hotfixed NLTK package in setup.py and the vulnerable version.", - "cve": null, + "cve": "PVE-2021-37721", "id": "pyup.io-37721", "specs": [ "<0.3.0.1" @@ -36,7 +59,7 @@ "agraph-python": [ { "advisory": "Agraph-python 101.0.1 updates urllib3 from 1.22 to 1.23 and requests from 2.18.4 to 2.20.0 for security reasons.", - "cve": null, + "cve": "PVE-2021-38506", "id": "pyup.io-38506", "specs": [ "<101.0.1" @@ -45,7 +68,7 @@ }, { "advisory": "Agraph-python before 101.0.3 updates numpy to 1.16.0 and urllib3 to 1.24.2 for security reasons.", - "cve": null, + "cve": "PVE-2021-37085", "id": "pyup.io-37085", "specs": [ "<101.0.3" @@ -56,7 +79,7 @@ "aiida": [ { "advisory": "Aiida 0.12.3 fixes a security vulnerability by upgrading `paramiko` to `2.4.2`.", - "cve": null, + "cve": "PVE-2021-37054", "id": "pyup.io-37054", "specs": [ "<0.12.3" @@ -67,18 +90,27 @@ "aiida-core": [ { "advisory": "aiida-core 0.12.3 fixes security vulnerability by upgrading `paramiko` to `2.4.2`", - "cve": null, + "cve": "PVE-2021-36956", "id": "pyup.io-36956", "specs": [ "<0.12.3" ], "v": "<0.12.3" + }, + { + "advisory": "Aiida-core before 1.6.0 adds security option to toggle POST methods on/off with the 'verdi restapi --posting/--no-posting' options (it is on by default).", + "cve": "PVE-2021-40304", + "id": "pyup.io-40304", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" } ], "aioapns": [ { "advisory": "Certificate hostname validation in aioapns version 1.10 was enabled by default for security reasons. It can be turned off by using no_cert_validation option.", - "cve": null, + "cve": "PVE-2021-38620", "id": "pyup.io-38620", "specs": [ "<1.10" @@ -89,7 +121,7 @@ "aiocoap": [ { "advisory": "The proxy in aiocoap 0.4a1 only creates log files when explicitly requested (18ddf8c). Also, support for secured protocols has been added.", - "cve": null, + "cve": "PVE-2021-37469", "id": "pyup.io-37469", "specs": [ "<0.4a1" @@ -100,7 +132,7 @@ "aiocouchdb": [ { "advisory": "aiocouchdb 0.6.0 now correctly set members for database security.", - "cve": null, + "cve": "PVE-2021-25612", "id": "pyup.io-25612", "specs": [ "<0.6.0" @@ -111,7 +143,7 @@ "aioftp": [ { "advisory": "The server of aioftp 0.15.0 uses explicit mapping of available commands for security reasons.", - "cve": null, + "cve": "PVE-2021-38045", "id": "pyup.io-38045", "specs": [ "<0.15.0" @@ -122,18 +154,27 @@ "aiohttp": [ { "advisory": "aiohttp 0.16.3 fixes a StaticRoute vulnerability to directory traversal attacks.", - "cve": null, + "cve": "PVE-2021-25613", "id": "pyup.io-25613", "specs": [ "<0.16.3" ], "v": "<0.16.3" + }, + { + "advisory": "Aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows \"pip install aiohttp >= 3.7.4\". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications. See CVE-2021-21330.", + "cve": "CVE-2021-21330", + "id": "pyup.io-39659", + "specs": [ + "<3.7.4" + ], + "v": "<3.7.4" } ], "aiohttp-auth-autz": [ { "advisory": "aiohttp-auth-autz before 0.2.0 isn't correctly checking the user_id in acl middleware, leading to a possible permission escalation.", - "cve": null, + "cve": "PVE-2021-32971", "id": "pyup.io-32971", "specs": [ "<0.2.0" @@ -144,7 +185,7 @@ "aiohttp-jinja2": [ { "advisory": "Aiohttp-jinja2 1.1.1 bumps minimal supported ``jinja2`` version to 2.10.1 to avoid a security vulnerability problem.", - "cve": null, + "cve": "PVE-2021-37095", "id": "pyup.io-37095", "specs": [ "<1.1.1" @@ -155,7 +196,7 @@ "aiohttp-swagger": [ { "advisory": "Aiohttp-swagger before 1.0.15 includes a version of js-yaml that's not secure.", - "cve": null, + "cve": "PVE-2021-38483", "id": "pyup.io-38483", "specs": [ "<1.0.15" @@ -166,7 +207,7 @@ "aioli": [ { "advisory": "aioli 0.16.3 fixes StaticRoute vulnerability to directory traversal attacks.", - "cve": null, + "cve": "PVE-2021-37007", "id": "pyup.io-37007", "specs": [ "<0.16.3" @@ -177,7 +218,7 @@ "aiootp": [ { "advisory": "Aiootp 0.10.1 reduces the effectiveness of timing analysis of the modular exponentiation in the `Opake` class' verifiers by making the process return values only after discrete intervals of time. Timing attacks on that part of the protocol may still be viable, but should be significantly reduced.", - "cve": null, + "cve": "PVE-2021-38491", "id": "pyup.io-38491", "specs": [ "<0.10.1" @@ -186,16 +227,70 @@ }, { "advisory": "The `Opake.client` & `Opake.client_registration` methods in aiootp version 0.11.0 take an instantiated client database instead of client credentials which improves security, efficiency & usability. This change reduces the amount of exposure received by user passwords & other credentials. It also simplifies usage of the protocol by only needing to carry around a database instead of a slew of credentials, which is also faster, since the credentials are passed through the cpu & memory hard `passcrypt` function every time to open the database.", - "cve": null, + "cve": "PVE-2021-38602", "id": "pyup.io-38602", "specs": [ "<0.11.0" ], "v": "<0.11.0" }, + { + "advisory": "Aiootp 0.13.0 contains a security patch for 'xor' and 'axor' functions which define the one-time-pad cipher (they can leak <1-bit of plaintext).", + "cve": "PVE-2021-39508", + "id": "pyup.io-39508", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + }, + { + "advisory": "Aiootp 0.17.0 includes a security patch for a critical vulnerability (highly recommended to upgrade). The HMAC verifiers on ciphertexts did not include the 'salt' or 'pid' values when deriving the HMAC. This associated data can therefore be changed to cause a party to decrypt a past ciphertext with a salt or pid of an attacker's choosing.", + "cve": "PVE-2021-39534", + "id": "pyup.io-39534", + "specs": [ + "<0.17.0" + ], + "v": "<0.17.0" + }, + { + "advisory": "Aiootp 0.18.0 includes a few important security patches.", + "cve": "PVE-2021-40254", + "id": "pyup.io-40254", + "specs": [ + "<0.18.0" + ], + "v": "<0.18.0" + }, + { + "advisory": "Aiootp 0.18.1 deprecates and replaces an internal 'kdf' for saving database tags due to a vulnerability.", + "cve": "PVE-2021-40253", + "id": "pyup.io-40253", + "specs": [ + "<0.18.1" + ], + "v": "<0.18.1" + }, + { + "advisory": "Aiootp 0.19.0 includes several important security patches and other improvements.", + "cve": "PVE-2021-40252", + "id": "pyup.io-40252", + "specs": [ + "<0.19.0" + ], + "v": "<0.19.0" + }, + { + "advisory": "Aiootp 0.19.3 removes 'map_encipher', 'map_decipher', 'amap_encipher' and 'amap_decipher' generators from the 'Chunky2048' and 'Comprende' classes due to security reasons.", + "cve": "PVE-2021-40251", + "id": "pyup.io-40251", + "specs": [ + "<0.19.3" + ], + "v": "<0.19.3" + }, { "advisory": "Aiootp 0.2.0 adds ephemeral salts to the ``AsyncDatabase`` & ``Database`` file encryption procedures. This is a major security fix, as re-encryption of files with the same tag in a database with the same open key would use the same streams of key material each time, breaking encryption if two different versions of a tag file's ciphertext stored to disk were available to an adversary. The database methods ``encrypt``, ``decrypt``, ``aencrypt`` & ``adecrypt`` will now produce and decipher true one-time pad ciphertext with these ephemeral salts.", - "cve": null, + "cve": "PVE-2021-38250", "id": "pyup.io-38250", "specs": [ "<0.2.0" @@ -204,7 +299,7 @@ }, { "advisory": "The ``AsyncDatabase`` & ``Database`` in aiootp version 0.3.0 use the more secure ``afilename`` & ``filename`` methods to derive the hashmap name and encryption streams from a user-defined tag internal to their ``aencrypt`` / ``adecrypt`` / ``encrypt`` / ``decrypt`` methods, as well as, prior to them getting called. This will break past versions of databases' ability to open their files.", - "cve": null, + "cve": "PVE-2021-38256", "id": "pyup.io-38256", "specs": [ "<0.3.0" @@ -213,7 +308,7 @@ }, { "advisory": "Aiootp 0.6.0 replaces several usages of ``random.randrange`` within ``randoms.py`` to calls to ``secrets.token_bytes`` which is faster & more secure.", - "cve": null, + "cve": "PVE-2021-38361", "id": "pyup.io-38361", "specs": [ "<0.6.0" @@ -222,7 +317,7 @@ }, { "advisory": "Aiootp 0.8.0 fixes the test_hmac and atest_hmac functions in the keys & database classes. The new non-constant-time algorithm needs a random salt to be added before doing the secondary hmac to prevent some potential exotic forms of chosen plaintext/ciphertext attacks on the algorithm. The last version of the algorithm should not be used. \r\n\r\nAlso, the 'Keys' & 'AsyncKeys' interfaces were overhauled to remove the persistance of instance salts. They were intended to be updated by users with the 'reset' & 'areset' methods, but that cannot be guaranteed easily through the class, so it is an inappropriate interface since reusing salts for encryption is completely insecure. The instances do still maintain state of their main encryption key, & new stateful methods for key generation, like 'mnemonic' & 'table_key', have been added. The 'state' & 'astate' methods have been removed.", - "cve": null, + "cve": "PVE-2021-38381", "id": "pyup.io-38381", "specs": [ "<0.8.0" @@ -231,7 +326,7 @@ }, { "advisory": "Aiootp 0.8.1 adds cryptographically secure pseudo-random values as default keys in encryption functions to safeguard against users accidentally encrypting data without specifying a key. This way, such mistakes will produce ciphertext with an unrecoverable key, instead of without a key at all.", - "cve": null, + "cve": "PVE-2021-38395", "id": "pyup.io-38395", "specs": [ "<0.8.1" @@ -240,7 +335,7 @@ }, { "advisory": "Aiootp 0.9.0 adds hmac codes to ciphertext for the following functions: 'json_encrypt', 'ajson_encrypt', 'bytes_encrypt', 'abytes_encrypt', 'Database.encrypt' & 'AsyncDatabase.aencrypt'. This change greatly increases the security of ciphertext by ensuring it hasn't been modified or tampered with maliciously. One-time pad ciphertext is maleable, so without hmac validation it can be changed to successfully allow decryption but return the wrong plaintext. These functions are the highest level abstractions of the library for encryption/decryption, which made them excellent targets for this important security update. As well, it isn't easily possible for the library to provide hmac codes for generators that produce ciphertext, because the end of a stream of ciphertext isn't known until after the results have left the scope of library code. So users will need to produce their own hmac codes for generator ciphertext unless we find an elegant solution to this issue. These functions now all return dictionaries with the associated hmac stored in the 'hmac' entry. The bytes functions formerly returned lists, now their ciphertext is available from the '\"ciphertext\"' entry. And, all database files will have an hmac attached to them now. These changes were designed to still be compatible with old ciphertexts but they'll likely be made incompatible by the v0.11.x major release.", - "cve": null, + "cve": "PVE-2021-38401", "id": "pyup.io-38401", "specs": [ "<0.9.0" @@ -249,7 +344,7 @@ }, { "advisory": "Aiootp 0.9.1 includes two security improvements:\r\n\r\n- Any falsey values for the 'salt' keyword argument in the library's 'keys', 'akeys', 'bytes_keys', 'abytes_keys', 'subkeys', & 'asubkeys' infinite keystream generators, & other functions around the library, will cause them to generate a new cryptographically secure pseudo-random value for the salt. It formerly only did this when 'salt' was 'None'. \r\n\r\n- The 'seeder' & 'aseeder' generators have been updated to introduce 512 new bits of entropy from 'secrets.token_bytes' on every iteration to ensure that the CSPRNG will produce secure outputs even if its internal state is somehow discovered. This also allows for simply calling the CSPRNG is enough, there's no longer a strong reason to pass new entropy into it manually, except to add even more entropy as desired.", - "cve": null, + "cve": "PVE-2021-38406", "id": "pyup.io-38406", "specs": [ "<0.9.1" @@ -258,7 +353,7 @@ }, { "advisory": "Aiootp 0.9.2 adds 'passcrypt' & 'apasscrypt' instance methods to 'OneTimePad', 'Keys', & 'AsyncKeys' classes. They produce password hashes that are not just secured by the salt & passcrypt algorithm settings, but also by their main symmetric instance keys. This makes passwords infeasible to crack without also compromising the instance's 512-bit key.\r\n\r\nAlso, Aiootp 0.9.2 includes further improvements to the random number generator in 'randoms.py'. This made its internals less sequential and thereby raises the bar of work needed by an attacker to successfully carry out an order prediction attack.", - "cve": null, + "cve": "PVE-2021-38409", "id": "pyup.io-38409", "specs": [ "<0.9.2" @@ -266,10 +361,43 @@ "v": "<0.9.2" } ], + "aiosolr": [ + { + "advisory": "Aiosolr 3.3.2 includes various security updates. No details were provided.", + "cve": "PVE-2021-40299", + "id": "pyup.io-40299", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + } + ], + "airtable": [ + { + "advisory": "Airtable 0.4.4 updates 'request' dependency to 2.79.0 (it removes 'tough-cookie' vulnerability warning).", + "cve": "PVE-2021-39517", + "id": "pyup.io-39517", + "specs": [ + "<0.4.4" + ], + "v": "<0.4.4" + } + ], + "ajsonrpc": [ + { + "advisory": "Ajsonrpc 1.1.0 ensures server security by having the response manager return a generic ServerError without error details in case of an application exception.", + "cve": "PVE-2021-39665", + "id": "pyup.io-39665", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], "aldryn-django": [ { "advisory": "aldryn-django 1.8.10.1 uses an insecure Django release, 1.8.9.", - "cve": null, + "cve": "PVE-2021-25614", "id": "pyup.io-25614", "specs": [ "<1.8.10.1" @@ -278,7 +406,7 @@ }, { "advisory": "aldryn-django before 1.8.18.1 uses an insecure Django release (Django <1.8.18).", - "cve": null, + "cve": "PVE-2021-34512", "id": "pyup.io-34512", "specs": [ "<1.8.18.1" @@ -289,7 +417,7 @@ "alex-ber-utils": [ { "advisory": "Alex-ber-utils 0.6.3 changed the base docker image version to 0.1.0, because it has fix for a potential security risk: Git was changed not to store credential as plain text, but to keep them in memory for 1 hour, see .", - "cve": null, + "cve": "PVE-2021-39148", "id": "pyup.io-39148", "specs": [ "<0.6.3" @@ -300,7 +428,7 @@ "alexandra": [ { "advisory": "alexandra 0.4.0 bumps dependency versions to avoid pyOpenSSL vulnerability", - "cve": null, + "cve": "PVE-2021-36552", "id": "pyup.io-36552", "specs": [ "<0.4.0" @@ -308,10 +436,21 @@ "v": "<0.4.0" } ], + "algorithm-toolkit": [ + { + "advisory": "Algorithm-toolkit 0.1.3beta resolves security issues with internal dependencies Pillow and marked.js.", + "cve": "PVE-2021-39381", + "id": "pyup.io-39381", + "specs": [ + "<0.1.3beta" + ], + "v": "<0.1.3beta" + } + ], "allennlp": [ { "advisory": "allennlp 0.6.1 upgrades flask to avoid security vulnerability.", - "cve": null, + "cve": "PVE-2021-36530", "id": "pyup.io-36530", "specs": [ "<0.6.1" @@ -320,7 +459,7 @@ }, { "advisory": "Allennlp 0.9.0 includes a fix for hotflip attacks.", - "cve": null, + "cve": "PVE-2021-37901", "id": "pyup.io-37901", "specs": [ "<0.9.0" @@ -331,7 +470,7 @@ "allink-core": [ { "advisory": "Allink-core 2.0.0 fixes various vulnerabilities.", - "cve": null, + "cve": "PVE-2021-39104", "id": "pyup.io-39104", "specs": [ "<2.0.0" @@ -342,7 +481,7 @@ "alt-model-checkpoint": [ { "advisory": "alt-model-checkpoint 1.0.1 upgrades dependencies, esp. for requests==2.20.0 security patch", - "cve": null, + "cve": "PVE-2021-36628", "id": "pyup.io-36628", "specs": [ "<1.0.1" @@ -353,7 +492,7 @@ "ambient-api": [ { "advisory": "ambient-api 1.5.2 updates requirements.txt to use requests>=2.2.0 due to a security vulnerability.", - "cve": null, + "cve": "PVE-2021-36594", "id": "pyup.io-36594", "specs": [ "<1.5.2" @@ -373,7 +512,7 @@ }, { "advisory": "ampache 3.8.2 fixes a potential security vulnerability on smartplaylist search rule and catalog management actions", - "cve": null, + "cve": "PVE-2021-37864", "id": "pyup.io-37864", "specs": [ "<3.8.2" @@ -381,19 +520,28 @@ "v": "<3.8.2" }, { - "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12385 for the SQL Injection\r\n* Resolves CVE-2019-12386 for the persistent XSS\r\n* Resolves NS-18-046 Multiple Reflected Cross-site Scripting Vulnerabilities in Ampache 3.9.0", - "cve": "CVE-2019-12385, CVE-2019-12386", + "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12385 for the SQL Injection", + "cve": "CVE-2019-12385", "id": "pyup.io-37863", "specs": [ "<4.0.0" ], "v": "<4.0.0" + }, + { + "advisory": "ampache 4.0.0:\r\n* Resolves CVE-2019-12386 for the persistent XSS\r\n* Resolves NS-18-046 Multiple Reflected Cross-site Scripting Vulnerabilities in Ampache 3.9.0", + "cve": "CVE-2019-12386", + "id": "pyup.io-39602", + "specs": [ + "<4.0.0" + ], + "v": "<4.0.0" } ], "amundsen-frontend": [ { "advisory": "amundsen-frontend 3.0.0 bumps serialize-javascript to a newer version that is more secure.", - "cve": null, + "cve": "PVE-2021-39065", "id": "pyup.io-39065", "specs": [ "<3.0.0" @@ -404,7 +552,7 @@ "anncolvar": [ { "advisory": "anncolvar 0.4 updates requirements.txt to fix security issues.", - "cve": null, + "cve": "PVE-2021-36803", "id": "pyup.io-36803", "specs": [ "<0.4" @@ -415,7 +563,7 @@ "annotator": [ { "advisory": "annotator 0.11.2 fixes a bug that allowed authenticated users to overwrite annotations on which they did not have permissions.", - "cve": null, + "cve": "PVE-2021-25615", "id": "pyup.io-25615", "specs": [ "<0.11.2" @@ -426,7 +574,7 @@ "ansible": [ { "advisory": "ansible 1.2.3 includes local security fixes for predictable file locations for ControlPersist and retry file paths on shared machines on operating systems without kernel symlink/hardlink protections.", - "cve": null, + "cve": "PVE-2021-25616", "id": "pyup.io-25616", "specs": [ "<1.2.3" @@ -435,7 +583,7 @@ }, { "advisory": "ansible 1.5.4 includes a security fix for safe_eval, which further hardens the checking of the evaluation function.", - "cve": null, + "cve": "PVE-2021-25617", "id": "pyup.io-25617", "specs": [ "<1.5.4" @@ -444,7 +592,7 @@ }, { "advisory": "ansible 1.5.5 includes a security fix for vault, to ensure the umask is set to a restrictive mode before creating/editing vault files.", - "cve": null, + "cve": "PVE-2021-25618", "id": "pyup.io-25618", "specs": [ "<1.5.5" @@ -453,7 +601,7 @@ }, { "advisory": "ansible includes 1.6.4 security updates related to evaluation of untrusted remote inputs.", - "cve": null, + "cve": "PVE-2021-25619", "id": "pyup.io-25619", "specs": [ "<1.6.4" @@ -462,7 +610,7 @@ }, { "advisory": "ansible 1.6.6 includes security updates to further protect against the incorrect execution of untrusted data.", - "cve": null, + "cve": "PVE-2021-25620", "id": "pyup.io-25620", "specs": [ "<1.6.6" @@ -480,7 +628,7 @@ }, { "advisory": "ansible 1.7 contains two security fixes:\r\n- Prevent the use of lookups when using legacy \" \" syntax around variables and with_* loops.\r\n - Remove relative paths in TAR-archived file names used by ansible-galaxy.", - "cve": null, + "cve": "PVE-2021-25622", "id": "pyup.io-25622", "specs": [ "<1.7" @@ -489,7 +637,7 @@ }, { "advisory": "ansible 1.7.1 contains a security fix to disallow specifying 'args:' as a string, which could allow the insertion of extra module parameters through variables.", - "cve": null, + "cve": "PVE-2021-25623", "id": "pyup.io-25623", "specs": [ "<1.7.1" @@ -498,7 +646,7 @@ }, { "advisory": "ansible 1.8.3 fixes a security bug related to the default permissions set on a temporary file created when using \"ansible-vault view \".", - "cve": null, + "cve": "PVE-2021-25624", "id": "pyup.io-25624", "specs": [ "<1.8.3" @@ -534,7 +682,7 @@ }, { "advisory": "ansible before 2.2.1 is vulnerable to arbitrary code execution. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as.", - "cve": null, + "cve": "PVE-2021-33286", "id": "pyup.io-33286", "specs": [ "<2.2.1" @@ -554,7 +702,7 @@ "ansible-runner": [ { "advisory": "ansible-runner 1.3.1 adds fixes to make default file permissions much more secure, upgrading is recommended.", - "cve": null, + "cve": "PVE-2021-36995", "id": "pyup.io-36995", "specs": [ "<1.3.1" @@ -576,7 +724,7 @@ "ansigenome": [ { "advisory": "ansigenome before 0.6.0 uses yaml.load instead of yaml.safe_load, allowing a code execution vulnerability.", - "cve": null, + "cve": "PVE-2021-34505", "id": "pyup.io-34505", "specs": [ "<0.6.0" @@ -584,15 +732,119 @@ "v": "<0.6.0" } ], + "ansitoimg": [ + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27922", + "id": "pyup.io-40612", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27923", + "id": "pyup.io-40607", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35654: In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.", + "cve": "CVE-2020-35654", + "id": "pyup.io-40996", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27923", + "id": "pyup.io-40993", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35655: In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.", + "cve": "CVE-2020-35655", + "id": "pyup.io-40994", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2020-35653: In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", + "cve": "CVE-2020-35653", + "id": "pyup.io-40995", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 updates the 'Pillow' dependency to >= 8.1.1 due to a high severity security vulnerability (CVE-2020-35654).", + "cve": "CVE-2020-35654", + "id": "pyup.io-40609", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + }, + { + "advisory": "Ansitoimg 2021.0.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27921", + "id": "pyup.io-40611", + "specs": [ + "<2021.0.1" + ], + "v": "<2021.0.1" + } + ], + "anymotion-sdk": [ + { + "advisory": "Anymotion-sdk 1.2.5 updates the 'urllib3' dependency and other packages for more security.", + "cve": "PVE-2021-40842", + "id": "pyup.io-40842", + "specs": [ + "<1.2.5" + ], + "v": "<1.2.5" + } + ], "apache-airflow": [ { "advisory": "apache-airflow 1.10.0 fixes XSS vulnerability in Variable endpoint", - "cve": null, + "cve": "PVE-2021-36832", "id": "pyup.io-36832", "specs": [ "<1.10.0" ], "v": "<1.10.0" + }, + { + "advisory": "In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. See CVE-2020-17513.", + "cve": "CVE-2020-17513", + "id": "pyup.io-39282", + "specs": [ + "<1.10.13" + ], + "v": "<1.10.13" + }, + { + "advisory": "The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). See CVE-2021-28359.", + "cve": "CVE-2021-28359", + "id": "pyup.io-40341", + "specs": [ + ">=1.0.0a1,<1.10.15", + ">=2.0.0a1,<2.0.2" + ], + "v": ">=1.0.0a1,<1.10.15,>=2.0.0a1,<2.0.2" } ], "apache-libcloud": [ @@ -636,6 +888,159 @@ } ], "apache-superset": [ + { + "advisory": "Apache-superset 0.11.0 allows for requesting access when denied on a dashboard view (#1192), allows to set static headers as configuration (#1126), and prevents XSS on FAB list views (#1125).", + "cve": "PVE-2021-39495", + "id": "pyup.io-39495", + "specs": [ + "<0.11.0" + ], + "v": "<0.11.0" + }, + { + "advisory": "Apache-superset 0.14.0 improves the security scheme (#1587).", + "cve": "PVE-2021-39494", + "id": "pyup.io-39494", + "specs": [ + "<0.14.0" + ], + "v": "<0.14.0" + }, + { + "advisory": "Apache-superset 0.19.1 prevents XSS markup viz (#3211).", + "cve": "PVE-2021-39491", + "id": "pyup.io-39491", + "specs": [ + "<0.19.1" + ], + "v": "<0.19.1" + }, + { + "advisory": "Apache-superset 0.23.0 adds all derived FAB UserModelView views to admin only (#4180), fixes 4 security vulnerabilities (#4390), and bumps dependencies with security issues (#4427).", + "cve": "PVE-2021-39490", + "id": "pyup.io-39490", + "specs": [ + "<0.23.0" + ], + "v": "<0.23.0" + }, + { + "advisory": "Apache-superset 0.25.0 refactors security code into SupersetSecurityManager (#4565).", + "cve": "PVE-2021-39488", + "id": "pyup.io-39488", + "specs": [ + "<0.25.0" + ], + "v": "<0.25.0" + }, + { + "advisory": "Apache-superset 0.28.0rc5 moves set/merge perm to security manager (#5684).", + "cve": "PVE-2021-39485", + "id": "pyup.io-39485", + "specs": [ + "<0.28.0rc5" + ], + "v": "<0.28.0rc5" + }, + { + "advisory": "Apache-superset 0.29.0rc8 secures unsecured views and prevent regressions (#6553).", + "cve": "PVE-2021-39484", + "id": "pyup.io-39484", + "specs": [ + "<0.29.0rc8" + ], + "v": "<0.29.0rc8" + }, + { + "advisory": "Apache-superset 0.31.0rc1 fixes dependencies with vulnerabilities (#6904).", + "cve": "PVE-2021-39483", + "id": "pyup.io-39483", + "specs": [ + "<0.31.0rc1" + ], + "v": "<0.31.0rc1" + }, + { + "advisory": "Apache-superset 0.32.0rc1 makes it easier to redefine Alpha/Gamma (#7036) - this was a security concern. It also \r\nran 'npm audit fix' to address various vulnerabilities (#7263).", + "cve": "PVE-2021-39482", + "id": "pyup.io-39482", + "specs": [ + "<0.32.0rc1" + ], + "v": "<0.32.0rc1" + }, + { + "advisory": "Apache-superset 0.32.0rc2.dev2 updates merge_perm and fixes the FAB method (#7355). These were both security issues.", + "cve": "PVE-2021-39480", + "id": "pyup.io-39480", + "specs": [ + "<0.32.0rc2.dev2" + ], + "v": "<0.32.0rc2.dev2" + }, + { + "advisory": "Apache-superset 0.33.0rc1 adds Flask-Talisman (#7443) for security reasons.", + "cve": "PVE-2021-39481", + "id": "pyup.io-39481", + "specs": [ + "<0.33.0rc1" + ], + "v": "<0.33.0rc1" + }, + { + "advisory": "Apache-superset 0.34.0 includes various security improvements. It bumps python libs (#7550), it makes security views use superset's list widget (#7724), and it adds docstrings and type hints (#7952).", + "cve": "PVE-2021-39479", + "id": "pyup.io-39479", + "specs": [ + "<0.34.0" + ], + "v": "<0.34.0" + }, + { + "advisory": "Apache-superset 0.35.0 adds security for restricted metrics (#8175).", + "cve": "PVE-2021-39478", + "id": "pyup.io-39478", + "specs": [ + "<0.35.0" + ], + "v": "<0.35.0" + }, + { + "advisory": "Apache-superset 0.35.1 bumps the dompurify version because of a nasty xss bypass (#8498).", + "cve": "PVE-2021-39477", + "id": "pyup.io-39477", + "specs": [ + "<0.35.1" + ], + "v": "<0.35.1" + }, + { + "advisory": "Apache-superset 0.35.2 bumps packages with security vulnerabilities (#8573), and bumps pyarrow to 0.15.1 due to CVE-2019-12408 (#8583).", + "cve": "CVE-2019-12408", + "id": "pyup.io-39476", + "specs": [ + "<0.35.2" + ], + "v": "<0.35.2" + }, + { + "advisory": "Apache-superset 0.36.0 filters out markdown containing XSS (#9163), adds support for row-level security (#8699), and lets admins be able to reset user passwords on AUTH_DB (#9232). It also ran 'npm audit fix' to fix 2 vulnerabilities (#9106).", + "cve": "PVE-2021-39475", + "id": "pyup.io-39475", + "specs": [ + "<0.36.0" + ], + "v": "<0.36.0" + }, + { + "advisory": "Apache-superset 0.37.0 includes various security-related improvements. It fixes regression in #9689 (9705), it fixes can_access with None because it crashed on builtin roles (#10039), it renames schemas_accessible_by_user (#10030), renames access methods (#10031), it updates assert logic (#10034), and it fixes the dbs/clusters perm (#10130).", + "cve": "PVE-2021-39474", + "id": "pyup.io-39474", + "specs": [ + "<0.37.0" + ], + "v": "<0.37.0" + }, { "advisory": "While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python\u2019s `os` package in the web application process in versions < 0.37.1. It was thus possible for an authenticated user to list and access files, environment variables, and process information. Additionally it was possible to set environment variables for the current process, create and update files in folders writable by the web process, and execute arbitrary programs accessible by the web process. All other operations available to the `os` package in Python were also available, even if not explicitly enumerated in this CVE. See CVE-2020-13948.", "cve": "CVE-2020-13948", @@ -645,9 +1050,18 @@ ], "v": "<0.37.1" }, + { + "advisory": "Apache-superset 0.37.1 disallows uuid package on jinja1 (#10794). This is a security improvement.", + "cve": "PVE-2021-39473", + "id": "pyup.io-39473", + "specs": [ + "<0.37.1" + ], + "v": "<0.37.1" + }, { "advisory": "Apache-superset 0.9.1 improved its security: Gamma role sees only its objects, and only owners and Admins can alter objects.", - "cve": null, + "cve": "PVE-2021-38193", "id": "pyup.io-38193", "specs": [ "<0.9.1" @@ -658,7 +1072,7 @@ "apidev-coop": [ { "advisory": "apidev-coop is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34979", "id": "pyup.io-34979", "specs": [ ">0", @@ -670,7 +1084,7 @@ "appdaemon": [ { "advisory": "Appdaemon 3.0.4 uses yaml.Safeloader to work around a known security issue with PyYaml.", - "cve": null, + "cve": "PVE-2021-37096", "id": "pyup.io-37096", "specs": [ "<3.0.4" @@ -681,7 +1095,7 @@ "appdaemontestframework": [ { "advisory": "appdaemontestframework 2.0.1 updates dependencies to prevent security vulnerabilities", - "cve": null, + "cve": "PVE-2021-37908", "id": "pyup.io-37908", "specs": [ "<2.0.1" @@ -690,7 +1104,7 @@ }, { "advisory": "appdaemontestframework 2.3.3 update dependencies to fix security vulnerability", - "cve": null, + "cve": "PVE-2021-37907", "id": "pyup.io-37907", "specs": [ "<2.3.3" @@ -701,7 +1115,7 @@ "apphelpers": [ { "advisory": "To secure the API access, apphelpers 0.9.2 adds the new options `groups_forbidden` and `groups_required`.", - "cve": null, + "cve": "PVE-2021-37151", "id": "pyup.io-37151", "specs": [ "<0.9.2" @@ -712,18 +1126,27 @@ "appwrite": [ { "advisory": "Appwrite 0.4.0:\r\n* Includes a PHP-FPM security patch fix (https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest) - Upgraded PHP version to 7.3.12 [Major]\r\n* Removes executable permission from avatars files [Minor]\r\n* Updates SDK Generator Twig dependency with security issue: https://www.exploit-db.com/exploits/44102 [Minor]", - "cve": null, + "cve": "PVE-2021-37717", "id": "pyup.io-37717", "specs": [ "<0.4.0" ], "v": "<0.4.0" + }, + { + "advisory": "Appwrite 0.9.0 fixes potential XSS injection on the console.", + "cve": "PVE-2021-40934", + "id": "pyup.io-40934", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" } ], "archi": [ { "advisory": "Archi 0.2.2 is bundled with libarchive 3.4.2. However, libarchive before version 3.4.3 is known to not be secure. See: .", - "cve": null, + "cve": "PVE-2021-37702", "id": "pyup.io-37702", "specs": [ "<=0.2.2" @@ -742,10 +1165,21 @@ "v": "<0.3.1" } ], + "asciidoc": [ + { + "advisory": "Asciidoc 8.6.6 removes the use of 'eval()' on untrusted input to disallow malicious code execution.", + "cve": "PVE-2021-39514", + "id": "pyup.io-39514", + "specs": [ + "<8.6.6" + ], + "v": "<8.6.6" + } + ], "asgi-csrf": [ { "advisory": "Cookie values in asgi-csrf 0.3 are now signed to prevent subdomain attacks. See also: .", - "cve": null, + "cve": "PVE-2021-38376", "id": "pyup.io-38376", "specs": [ "<0.3" @@ -756,7 +1190,7 @@ "aspen": [ { "advisory": "aspen 0.39 fixes two security bugs related to CRLF injection - https://github.com/gratipay/security-qf35us/issues/1", - "cve": null, + "cve": "PVE-2021-36873", "id": "pyup.io-36873", "specs": [ "<0.39" @@ -765,7 +1199,7 @@ }, { "advisory": "aspen 0.42 protects against URL redirection attacks (#471)", - "cve": null, + "cve": "PVE-2021-36872", "id": "pyup.io-36872", "specs": [ "<0.42" @@ -776,7 +1210,7 @@ "astropy": [ { "advisory": "astropy 3.0.1 updates the bundled CFITSIO library to 3.430. This is to remedy a critical security vulnerability that was identified by NASA.", - "cve": null, + "cve": "PVE-2021-35810", "id": "pyup.io-35810", "specs": [ "<3.0.1" @@ -784,10 +1218,32 @@ "v": "<3.0.1" } ], + "async-search-client": [ + { + "advisory": "Async-search-client 0.5.1 updates the 'pydantic' dependency from 1.8.1 to 1.8.2 to fix a security vulnerability.", + "cve": "PVE-2021-40437", + "id": "pyup.io-40437", + "specs": [ + "<0.5.1" + ], + "v": "<0.5.1" + } + ], + "asyncssh": [ + { + "advisory": "Asyncssh 2.5.0 added a configurable maximum line length when the editor is in use to avoid potential denial-of-service attacks.", + "cve": "PVE-2021-39350", + "id": "pyup.io-39350", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" + } + ], "att-iot-gateway": [ { "advisory": "Att-iot-gateway before 0.4.0 uses a insecure HTTP connection.", - "cve": null, + "cve": "PVE-2021-34257", "id": "pyup.io-34257", "specs": [ "<0.4.0" @@ -795,10 +1251,21 @@ "v": "<0.4.0" } ], + "auditree-framework": [ + { + "advisory": "Auditree-framework 1.19.0 fixes minor security issues found by the 'bandit'.", + "cve": "PVE-2021-40445", + "id": "pyup.io-40445", + "specs": [ + "<1.19.0" + ], + "v": "<1.19.0" + } + ], "authbwc": [ { "advisory": "authbwc 0.1.4 fixes an issue with the way the HTTP session user permissions were loaded. This vulnerability made it possible for a user to gain the permissions of the user logged in previously. The user would have had to be sharing the same http session for this access to have been gained.", - "cve": null, + "cve": "PVE-2021-25631", "id": "pyup.io-25631", "specs": [ "<0.1.4" @@ -807,7 +1274,7 @@ }, { "advisory": "authbwc before 0.3.1 has a vulnerability in the password reset process that allowed users to log in when inactive.", - "cve": null, + "cve": "PVE-2021-34836", "id": "pyup.io-34836", "specs": [ "<0.3.1" @@ -815,30 +1282,50 @@ "v": "<0.3.1" } ], - "autobahn": [ + "auto-surprise": [ { - "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", - "cve": null, - "id": "pyup.io-25632", + "advisory": "Auto-surprise 0.1.7 includes bot security version updates.", + "cve": "PVE-2021-40146", + "id": "pyup.io-40146", "specs": [ - "<0.15.0" + "<0.1.7" + ], + "v": "<0.1.7" + } + ], + "autobahn": [ + { + "advisory": "In autobahn before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", + "cve": "PVE-2021-25632", + "id": "pyup.io-25632", + "specs": [ + "<0.15.0" ], "v": "<0.15.0" }, { "advisory": "autobahn 0.6.4 fixes a security issue related to a WAMP-CRA timing attack very, very unlikely to be exploitable.", - "cve": null, + "cve": "PVE-2021-25633", "id": "pyup.io-25633", "specs": [ "<0.6.4" ], "v": "<0.6.4" + }, + { + "advisory": "Autobahn|Python before 20.12.3 allows redirect header injection. See CVE-2020-35678.", + "cve": "CVE-2020-35678", + "id": "pyup.io-39363", + "specs": [ + "<20.12.3" + ], + "v": "<20.12.3" } ], "avocado-framework": [ { "advisory": "avocado-framework 0.17.0 fixes a temporary dir issue, that had potential security implications.", - "cve": null, + "cve": "PVE-2021-34679", "id": "pyup.io-34679", "specs": [ "<0.17.0" @@ -849,7 +1336,7 @@ "awkward": [ { "advisory": "Awkward 0.10.1 closes a security hole and backward incompatibility in `awkward.persist.whitelist` handling.", - "cve": null, + "cve": "PVE-2021-37154", "id": "pyup.io-37154", "specs": [ "<0.10.1" @@ -860,7 +1347,7 @@ "aws-parallelcluster": [ { "advisory": "Aws-parallelcluster 2.4.0 removes AWS credentials from the ``parallelcluster`` config file for a better security posture. Credentials can now be set up following the canonical procedure used for the aws cli.", - "cve": null, + "cve": "PVE-2021-37211", "id": "pyup.io-37211", "specs": [ "<2.4.0" @@ -871,7 +1358,7 @@ "awscli": [ { "advisory": "awscli 1.11.83 fixes a possible security issue where files could be downloaded to a directory outside the destination directory if the key contained relative paths when downloading files recursively.", - "cve": null, + "cve": "PVE-2021-34627", "id": "pyup.io-34627", "specs": [ "<1.11.83" @@ -882,7 +1369,7 @@ "backend.ai": [ { "advisory": "Backend.ai 19.03.0b1 supports running multiple managers on the same host by randomizing internal IPC socket addresses. This also improves the security a little.", - "cve": null, + "cve": "PVE-2021-39087", "id": "pyup.io-39087", "specs": [ "<19.03.0b1" @@ -891,7 +1378,7 @@ }, { "advisory": "Backend.ai 19.03.0rc1 supports authentication with etcd and Redis for better security.", - "cve": null, + "cve": "PVE-2021-39086", "id": "pyup.io-39086", "specs": [ "<19.03.0rc1" @@ -900,7 +1387,7 @@ }, { "advisory": "Backend.ai 19.09.0rc4 includes image import. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases. Additionally, it includes a privilege escalation fix because domain-admins could run sessions on behalf of super-admins in the same domain.", - "cve": null, + "cve": "PVE-2021-38675", "id": "pyup.io-38675", "specs": [ "<19.09.0rc4" @@ -911,7 +1398,7 @@ "backend.ai-manager": [ { "advisory": "Backend.ai-manager 19.09.0rc4 fixes privilege escalation because domain-admins could run sessions on behalf of super-admins in the same domain. It also introduces Image import (171) - currently this is limited to import Python-based kernels only. This is implemented on top of batch tasks, with some specialization to prevent security issues due to direct access to agent host's Docker daemon. Importing as service-port only image support will be added in future releases.", - "cve": null, + "cve": "PVE-2021-37531", "id": "pyup.io-37531", "specs": [ "<19.09.0rc4" @@ -922,7 +1409,7 @@ "bakercm": [ { "advisory": "bakercm 0.4.4 updates pythoncryptodome after security issue #16", - "cve": null, + "cve": "PVE-2021-36651", "id": "pyup.io-36651", "specs": [ "<0.4.4" @@ -933,7 +1420,7 @@ "barman": [ { "advisory": "Barman 2.11 removes the strict superuser requirement for PG 10+. As of PostgreSQL 10 it is possible to execute \r\nbackups without superuser privileges, which is actually the recommended method for security reasons. Non-superuser backups need to grant some privileges to the user used by Barman to connect to PostgreSQL, as documented in the 21-preliminary_steps.en.md section.\r\n\r\nIt also ensures each postgres connection has an empty search_path. This is the only safe option when there is no information about how secure the search path is on the target database. This is done by appending \"options=-csearch_path=\" to any conninfo string.", - "cve": null, + "cve": "PVE-2021-38502", "id": "pyup.io-38502", "specs": [ "<2.11" @@ -944,7 +1431,7 @@ "baseplate": [ { "advisory": "Baseplate 0.19.0 includes support for fetching secrets in a secure, auditable, manner from Hashicorp Vault. A sidecar daemon manages the infrastructure-level authentication with Vault and fetches secrets to a file on disk. Helpers in Baseplate then allow your application to fetch these secrets efficiently from the sidecar daemon with some helpful conventions for versioning/key rotation. This is now the right way to get secret tokens into your application going forward. See: .", - "cve": null, + "cve": "PVE-2021-38349", "id": "pyup.io-38349", "specs": [ "<0.19.0" @@ -953,7 +1440,7 @@ }, { "advisory": "Authentication tokens in baseplate 0.22.0 provided by the authentication service can now be automatically propagated between services when making Thrift calls. This allows internal services to securely and accurately understand on whose behalf a given request is being made so they can decide if the requester is authorized for a particular action. The context is passed implicitly, in request headers, so no extra parameters need be added to service IDLs. Baseplate provides APIs for validating and accessing the tokens from within request context and will automatically pass upstream credentials to downstream services without extra work.", - "cve": null, + "cve": "PVE-2021-38348", "id": "pyup.io-38348", "specs": [ "<0.22.0" @@ -962,7 +1449,7 @@ }, { "advisory": "Baseplate 0.24.0 includes a EdgeRequestContext/AuthenticationToken unification. This isn't a new addition, but a **breaking** rework of authentication context in Baseplate. Authentication token propagation and access is now fully integrated into the edge request context. Authentication tokens are propagated inside the edge context header and the API for applications built on Baseplate is unified. See below for details on how to use this.", - "cve": null, + "cve": "PVE-2021-38347", "id": "pyup.io-38347", "specs": [ "<0.24.0" @@ -971,7 +1458,7 @@ }, { "advisory": "Services often need to securely store username/password pairs. Baseplate 0.30.0 has a convention for doing so called a credential secret. In addition, the sqlalchemy integration now uses this new credential type and you can expect other integrations to do so in the future. See also: .", - "cve": null, + "cve": "PVE-2021-38346", "id": "pyup.io-38346", "specs": [ "<0.30.0" @@ -982,7 +1469,7 @@ "basketball-reference-web-scraper": [ { "advisory": "Basketball-reference-web-scraper 4.2.2 includes upgrades the `urllib3` library to `1.25.2` due to a security vulnerability with versions less than `1.24.2`.", - "cve": null, + "cve": "PVE-2021-37123", "id": "pyup.io-37123", "specs": [ "<4.2.2" @@ -991,7 +1478,7 @@ }, { "advisory": "Basketball-reference-web-scraper 4.2.3 updates urllib3 to 1.24.3 to avoid a security vulnerability. This also fulfills the requirement to update the `requests` version.", - "cve": null, + "cve": "PVE-2021-37195", "id": "pyup.io-37195", "specs": [ "<4.2.3" @@ -1002,7 +1489,7 @@ "bbcode": [ { "advisory": "bbcode 1.0.9 escapes quotes correctly to prevent XSS", - "cve": null, + "cve": "PVE-2021-25634", "id": "pyup.io-25634", "specs": [ "<1.0.9" @@ -1013,7 +1500,7 @@ "beaker": [ { "advisory": "beaker 0.9.4 fixes security issue with Beaker not properly removing directory escaping characters from the session ID when un-signed sessions are used.", - "cve": null, + "cve": "PVE-2021-25635", "id": "pyup.io-25635", "specs": [ "<0.9.4" @@ -1042,7 +1529,7 @@ "benchexec": [ { "advisory": "Benchexec 2.2 fixes two security issues:\r\n- Since BenchExec 2.1, the setup of the container for the tool-info module (which was added in BenchExec 1.20) could silently fail, for example if user namespaces are disabled on the system. In this case the tool-info module would be executed outside of the container. Run execution was not affected.\r\n- The kernel offers a keyring feature for storage of keys related to features like Kerberos and ecryptfs. Before Linux 5.2, there existed one keyring per user, and BenchExec did not prevent access from the tool inside the container to the kernel keyring of the user who started BenchExec. Now such accesses are forbidden (on all kernel versions) using seccomp (http://man7.org/linux/man-pages/man2/seccomp.2.html) if libseccomp2 (https://github.com/seccomp/libseccomp) is installed, which should be the case on any standard distribution. Note that seccomp filters do have a slight performance impact and could prevent some binaries on exotic architectures from working. In such a case please file a bug report (https://github.com/sosy-lab/benchexec/issues/new).", - "cve": null, + "cve": "PVE-2021-37510", "id": "pyup.io-37510", "specs": [ "<2.2" @@ -1050,10 +1537,21 @@ "v": "<2.2" } ], + "bento-lib": [ + { + "advisory": "Bento-lib 3.0.1 includes security fix to prevent data leak in error messages from data structure queries by default and adds 'secure_errors' param for data structure querying methods.", + "cve": "PVE-2021-41035", + "id": "pyup.io-41035", + "specs": [ + "<3.0.1" + ], + "v": "<3.0.1" + } + ], "bepasty": [ { "advisory": "bepasty 0.3.0 contains two security fixes: \r\n- When showing potentially dangerous text/* types, force the\r\n content-type to be text/plain and also turn the browser's sniffer off.\r\n- Prevent disclosure of locked item's metadata", - "cve": null, + "cve": "PVE-2021-25637", "id": "pyup.io-25637", "specs": [ "<0.3.0" @@ -1062,7 +1560,7 @@ }, { "advisory": "Bepasty 0.6.0 invalidates old client-side cookies if PERMISSIONS in config are changed. This is a security fix.", - "cve": null, + "cve": "PVE-2021-39120", "id": "pyup.io-39120", "specs": [ "<0.6.0" @@ -1073,7 +1571,7 @@ "berglas": [ { "advisory": "Berglas 0.2.0 no longer trusts the environment variables.", - "cve": null, + "cve": "PVE-2021-37340", "id": "pyup.io-37340", "specs": [ "<0.2.0" @@ -1084,7 +1582,7 @@ "bigchaindb": [ { "advisory": "Bigchaindb 2.2.2 updates several dependencies, including Flask, which had a vulnerability.", - "cve": null, + "cve": "PVE-2021-38832", "id": "pyup.io-38832", "specs": [ "<2.2.2" @@ -1106,7 +1604,7 @@ "bigdl": [ { "advisory": "Bigdl 0.8.0 fixes the scala compiler security issue in 2.10 & 2.11", - "cve": null, + "cve": "PVE-2021-37576", "id": "pyup.io-37576", "specs": [ "<0.8.0" @@ -1117,7 +1615,7 @@ "bincrafters-envy": [ { "advisory": "bincrafters-envy 0.1.3 updates the request module", - "cve": null, + "cve": "PVE-2021-36732", "id": "pyup.io-36732", "specs": [ "<0.1.3" @@ -1128,7 +1626,7 @@ "birdhousebuilder-recipe-nginx": [ { "advisory": "birdhousebuilder-recipe-nginx 0.1.5 disables the use of SSLv3 (poodle attack).", - "cve": null, + "cve": "PVE-2021-36135", "id": "pyup.io-36135", "specs": [ "<0.1.5" @@ -1139,7 +1637,7 @@ "birdhousebuilder.recipe.nginx": [ { "advisory": "birdhousebuilder.recipe.nginx 0.1.5 disabled SSLv3 due to the poodle attack.", - "cve": null, + "cve": "PVE-2021-25638", "id": "pyup.io-25638", "specs": [ "<0.1.5" @@ -1150,7 +1648,7 @@ "bise.theme": [ { "advisory": "bise.theme 2.4 fixes a potential XSS issue with catalogue search.", - "cve": null, + "cve": "PVE-2021-25639", "id": "pyup.io-25639", "specs": [ "<2.4" @@ -1161,7 +1659,7 @@ "bitbot": [ { "advisory": "For security reasons, REST API only listens on localhost in Bitbot 1.12.0.", - "cve": null, + "cve": "PVE-2021-37551", "id": "pyup.io-37551", "specs": [ "<1.12.0" @@ -1194,7 +1692,7 @@ "blask": [ { "advisory": "Blask 0.2.2 fixes some vulnerabilities. See: .", - "cve": null, + "cve": "PVE-2021-39028", "id": "pyup.io-39028", "specs": [ "<0.2.2" @@ -1216,7 +1714,7 @@ "bleach": [ { "advisory": "bleach 2.1 converts control characters (backspace particularly) to \"?\" preventing malicious copy-and-paste situations.", - "cve": null, + "cve": "PVE-2021-34965", "id": "pyup.io-34965", "specs": [ "<2.1" @@ -1225,7 +1723,7 @@ }, { "advisory": "Calls to `bleach.clean` allowing `noscript` and one or more of the raw text tags (`title`, `textarea`, `script`, `style`, `noembed`, `noframes`, `iframe`, and `xmp`) in bleach before version 3.1.1 were vulnerable to a mutation XSS.\r\n\r\nAlso, the `bleach.clean` behavior parsing `noscript` tags in bleach before version 3.1.1 did not match browser behavior.\r\n\r\nThis security issue was confirmed in Bleach versions v2.1.4, v3.0.2, and v3.1.0. Earlier versions are probably affected too.", - "cve": null, + "cve": "PVE-2021-38546", "id": "pyup.io-38546", "specs": [ "<3.1.1" @@ -1234,7 +1732,7 @@ }, { "advisory": "The ``bleach.clean`` behavior parsing ``noscript`` tags did not match browser behavior in Bleach versions v2.1.4, v3.0.2, and v3.1.0 (and probably earlier versions too). \r\n\r\nCalls to ``bleach.clean`` allowing ``noscript`` and one or more of the raw text tags (``title``, ``textarea``, ``script``, ``style``, ``noembed``, ``noframes``, ``iframe``, and ``xmp``) were vulnerable to a mutation XSS.\r\n\r\nSee: https://bugzilla.mozilla.org/show_bug.cgi?id=1615315", - "cve": null, + "cve": "PVE-2021-37910", "id": "pyup.io-37910", "specs": [ "<=3.1.0" @@ -1243,7 +1741,7 @@ }, { "advisory": "The ``bleach.clean`` behavior parsing embedded MathML and SVG content with RCDATA tags in Bleach versions <= 3.1.1 did not match browser behavior and could result in a mutation XSS.\r\n\r\nCalls to ``bleach.clean`` with ``strip=False`` and ``math`` or ``svg`` tags and one or more of the RCDATA tags ``script``, ``noscript``, ``style``, ``noframes``, ``iframe``, ``noembed``, or ``xmp`` in the allowed tags whitelist were vulnerable to a mutation XSS.\r\n\r\nThis security issue was confirmed in Bleach version v3.1.1. Earlier versions are likely affected too.", - "cve": null, + "cve": "PVE-2021-38076", "id": "pyup.io-38076", "specs": [ "<=3.1.1" @@ -1252,7 +1750,7 @@ }, { "advisory": "The ``bleach.clean`` behavior parsing style attributes in bleach before 3.1.4 could result in a regular expression denial of service (ReDoS). Calls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute were vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={'a': ['style']})``. This issue was confirmed in Bleach versions v3.1.3, v3.1.2, v3.1.1, v3.1.0, v3.0.0, v2.1.4, and v2.1.3. Earlier versions used a similar regular expression and should be considered vulnerable too.", - "cve": null, + "cve": "PVE-2021-38107", "id": "pyup.io-38107", "specs": [ "<=3.1.3" @@ -1272,7 +1770,7 @@ "bleach-extras": [ { "advisory": "Bleach-extras 0.0.4 requires bleach version 3.2.1 to deal with security issues.", - "cve": null, + "cve": "PVE-2021-38875", "id": "pyup.io-38875", "specs": [ "<0.0.4" @@ -1283,7 +1781,7 @@ "blinkpy": [ { "advisory": "blinkpy 0.10.2 sets minimum required version of the requests library to 2.20.0 due to vulnerability in earlier releases.", - "cve": null, + "cve": "PVE-2021-36596", "id": "pyup.io-36596", "specs": [ "<0.10.2" @@ -1323,7 +1821,7 @@ }, { "advisory": "In bodhi before 2.9.1 it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects.", - "cve": null, + "cve": "PVE-2021-35208", "id": "pyup.io-35208", "specs": [ "<2.9.1" @@ -1345,7 +1843,7 @@ "bok-choy": [ { "advisory": "bok-choy 0.5.1 contains a fix to XSS vulnerability in the auditing feature.", - "cve": null, + "cve": "PVE-2021-25641", "id": "pyup.io-25641", "specs": [ "<0.5.1" @@ -1365,7 +1863,7 @@ }, { "advisory": "Bokeh before 1.1.0 includes a handlebars security vulnerability [components: bokehjs & build]. NPM won't install.", - "cve": null, + "cve": "PVE-2021-37031", "id": "pyup.io-37031", "specs": [ "<1.1.0" @@ -1374,7 +1872,7 @@ }, { "advisory": "Bokeh 1.2.0 fixes a security vulnerabilities reported by npm audit.", - "cve": null, + "cve": "PVE-2021-37170", "id": "pyup.io-37170", "specs": [ "<1.2.0" @@ -1430,6 +1928,15 @@ ], "v": "<0.12.10" }, + { + "advisory": "The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. See CVE-2020-28473.", + "cve": "CVE-2020-28473", + "id": "pyup.io-39461", + "specs": [ + "<0.12.19" + ], + "v": "<0.12.19" + }, { "advisory": "Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.", "cve": "CVE-2014-3137", @@ -1445,7 +1952,7 @@ "boussole": [ { "advisory": "Boussole 1.5.0 fixes the PyYAML 'load()' deprecation warning. For a recent security issue, PyYAML has introduced a change to its ``load()`` method to be more safe. Boussole now uses the full loader mode so it does not trigger a warning anymore.", - "cve": null, + "cve": "PVE-2021-37147", "id": "pyup.io-37147", "specs": [ "<1.5.0" @@ -1456,7 +1963,7 @@ "brasil.gov.portal": [ { "advisory": "brasil.gov.portal before 1.5.1 uses Plone <4.3.15 which is vulnerable to several XSS and redirect flaws, and a sandbox escape.", - "cve": null, + "cve": "PVE-2021-35086", "id": "pyup.io-35086", "specs": [ "<1.5.1" @@ -1467,7 +1974,7 @@ "bsblan": [ { "advisory": "Bsblan 0.27 sets the DEFAULT_FLAG in config to read-only for added level of security.", - "cve": null, + "cve": "PVE-2021-37697", "id": "pyup.io-37697", "specs": [ "<0.27" @@ -1478,7 +1985,7 @@ "buildbot": [ { "advisory": "Buildbot before 1.3.0 did not use ``hmac.compare_digest()`` in GitHub hooks.", - "cve": null, + "cve": "PVE-2021-36320", "id": "pyup.io-36320", "specs": [ "<1.3.0" @@ -1487,7 +1994,7 @@ }, { "advisory": "Buildbot 1.8.2 fixes a vulnerability in OAuth where user-submitted authorization tokens are used for authentication. See: .", - "cve": null, + "cve": "PVE-2021-37161", "id": "pyup.io-37161", "specs": [ "<1.8.2" @@ -1496,7 +2003,7 @@ }, { "advisory": "buildbot 2.0.0 fixes CRLF injection vulnerability with validating user provided redirect parameters (https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code)", - "cve": null, + "cve": "PVE-2021-36865", "id": "pyup.io-36865", "specs": [ "<2.0.0" @@ -1505,7 +2012,7 @@ }, { "advisory": "Buildbot 2.3.1 fixes a vulnerability in OAuth where a user-submitted authorization token was used for authentication. See: .", - "cve": null, + "cve": "PVE-2021-37160", "id": "pyup.io-37160", "specs": [ "<2.3.1" @@ -1516,7 +2023,7 @@ "byarse": [ { "advisory": "Byarse 1.1.0 introduces 'Safe mode', which can be enabled to prevent unpickling Pickle type during deserialization. This prevents a big security vulnerability.", - "cve": null, + "cve": "PVE-2021-38754", "id": "pyup.io-38754", "specs": [ "<1.1.0" @@ -1527,7 +2034,7 @@ "bzip": [ { "advisory": "bzip is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34980", "id": "pyup.io-34980", "specs": [ ">0", @@ -1550,7 +2057,7 @@ "cacophonyapi": [ { "advisory": "Cacophonyapi 4.13.0 addresses a security vulnerability. No details were given.", - "cve": null, + "cve": "PVE-2021-39127", "id": "pyup.io-39127", "specs": [ "<4.13.0" @@ -1559,7 +2066,7 @@ }, { "advisory": "Cacophonyapi 4.6.0 addresses a security vulnerability in eslint-utils.", - "cve": null, + "cve": "PVE-2021-39128", "id": "pyup.io-39128", "specs": [ "<4.6.0" @@ -1570,18 +2077,58 @@ "cairosvg": [ { "advisory": "cairosvg 1.0.21 is a security update. CairoSVG was vulnerable to XML eXternal Entity (XXE) attacks, this release fixes this vulnerability by not resolving the XML entities anymore. The ``--unsafe`` option has been added to force the resolution of XML entities. Obviously, this option is not safe and should only be used with trusted SVG files.", - "cve": null, + "cve": "PVE-2021-25643", "id": "pyup.io-25643", "specs": [ "<1.0.21" ], "v": "<1.0.21" + }, + { + "advisory": "CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. See CVE-2021-21236.", + "cve": "CVE-2021-21236", + "id": "pyup.io-39419", + "specs": [ + "<2.5.1" + ], + "v": "<2.5.1" + }, + { + "advisory": "When processing SVG files, cairosvg before 2.5.1 was using two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provided a malicious SVG, it could make CairoSVG get stuck processing the file for a very long time.", + "cve": "PVE-2021-39404", + "id": "pyup.io-39404", + "specs": [ + "<2.5.1" + ], + "v": "<2.5.1" + } + ], + "calcipy": [ + { + "advisory": "Calcipy 2021.0.2.0 adding security check task.", + "cve": "PVE-2021-40621", + "id": "pyup.io-40621", + "specs": [ + "<2021.0.2.0" + ], + "v": "<2021.0.2.0" + } + ], + "calcwave": [ + { + "advisory": "Calcwave 1.2.6 updates limits for modules and functions available to 'eval()' in the interpreter. This greatly improves the security and reduces the risk of accidentally calling the 'Python' function that damages your computer.", + "cve": "PVE-2021-40507", + "id": "pyup.io-40507", + "specs": [ + "<1.2.6" + ], + "v": "<1.2.6" } ], "callisto-core": [ { "advisory": "Callisto-core 0.27.9 includes some not further specified security updates.", - "cve": null, + "cve": "PVE-2021-37355", "id": "pyup.io-37355", "specs": [ "<0.27.9" @@ -1592,7 +2139,7 @@ "candig-server": [ { "advisory": "Candig-server 0.9.0 has enhanced security through a refined data access control mechanism.", - "cve": null, + "cve": "PVE-2021-37219", "id": "pyup.io-37219", "specs": [ "<0.9.0" @@ -1601,7 +2148,7 @@ }, { "advisory": "candig-server 0.9.2 changes: Jinja2 package has been updated to resolve security vulnerability issues.", - "cve": null, + "cve": "PVE-2021-37218", "id": "pyup.io-37218", "specs": [ "<0.9.2" @@ -1610,7 +2157,7 @@ }, { "advisory": "Candig-server 1.0.2 updates WerkZeug to 0.15.5 to resolve its security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37467", "id": "pyup.io-37467", "specs": [ "<1.0.2" @@ -1619,7 +2166,7 @@ }, { "advisory": "Candig-server 1.4.0 includes some upgraded third-party libraries, improving security.", - "cve": null, + "cve": "PVE-2021-39169", "id": "pyup.io-39169", "specs": [ "<1.4.0" @@ -1627,10 +2174,21 @@ "v": "<1.4.0" } ], + "cartridge-braintree": [ + { + "advisory": "Cartridge-braintree 1.2.2 sets minimum Django version to 1.11.29 and maximum version to 1.12 to fix security vulnerabilities.", + "cve": "PVE-2021-40229", + "id": "pyup.io-40229", + "specs": [ + "<1.2.2" + ], + "v": "<1.2.2" + } + ], "cbapi": [ { "advisory": "The underlying CbAPI connection class erroneously disabled hostname validation by default. This does *not* affect code that uses CbAPI through the public interfaces documented here; it only affects code that accesses the new ``CbAPISessionAdapter`` class directly. This class was introduced in version 1.3.3. Regardless, it is strongly recommended that all users currently using 1.3.3 upgrade to 1.3.4.", - "cve": null, + "cve": "PVE-2021-34933", "id": "pyup.io-34933", "specs": [ ">=1.3.3,<1.3.4" @@ -1641,7 +2199,7 @@ "ccf": [ { "advisory": "Ccf 0.7 fixes a vulnerability to a possible replay attack.", - "cve": null, + "cve": "PVE-2021-38641", "id": "pyup.io-38641", "specs": [ "<0.7" @@ -1652,7 +2210,7 @@ "celery": [ { "advisory": "Insecure default configuration The default accept_content setting was set to allow deserialization of pickled messages in Celery 4.0.0. The insecure default has been fixed in 4.0.1, and you can also configure the 4.0.0 version to explicitly only allow json serialized messages.", - "cve": null, + "cve": "PVE-2021-25646", "id": "pyup.io-25646", "specs": [ ">=4.0,<4.0.1" @@ -1663,7 +2221,7 @@ "cellxgene": [ { "advisory": "Cellxgene 0.12.0 has Python and Javascript package updates, for both security and performance.", - "cve": null, + "cve": "PVE-2021-37801", "id": "pyup.io-37801", "specs": [ "<0.12.0" @@ -1672,7 +2230,7 @@ }, { "advisory": "Cellxgene 0.16.0 removed the `client` package that introduced security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38696", "id": "pyup.io-38696", "specs": [ "<0.16.0" @@ -1683,7 +2241,7 @@ "centrifuge": [ { "advisory": "centrifuge 0.3.8 includes a security fix! Please, upgrade to this version or disable access to `/dumps` location.", - "cve": null, + "cve": "PVE-2021-25647", "id": "pyup.io-25647", "specs": [ "<0.3.8" @@ -1694,7 +2252,7 @@ "certbot": [ { "advisory": "Certbot before 0.34.0 does not print warnings when run as root with insecure file system permissions.", - "cve": null, + "cve": "PVE-2021-38484", "id": "pyup.io-38484", "specs": [ "<0.34.0" @@ -1703,7 +2261,7 @@ }, { "advisory": "Certbot through 0.34.0 does not configure the web server so that all requests redirect to secure HTTPS access.", - "cve": null, + "cve": "PVE-2021-37112", "id": "pyup.io-37112", "specs": [ "<=0.34.0" @@ -1714,7 +2272,7 @@ "cerulean": [ { "advisory": "cerulean 0.3.4 - Directory permissions when using mkdir(). This is a security issue, and you\r\n should upgrade as soon as possible.", - "cve": null, + "cve": "PVE-2021-36796", "id": "pyup.io-36796", "specs": [ "<0.3.4" @@ -1725,7 +2283,7 @@ "cffconvert": [ { "advisory": "cffconvert 1.0.3 updates requests from 2.18.4 to 2.20.0 (security bugfix)", - "cve": null, + "cve": "PVE-2021-36623", "id": "pyup.io-36623", "specs": [ "<1.0.3" @@ -1745,7 +2303,7 @@ }, { "advisory": "Please upgrade to 1.8.0 immediately.\r\n\r\nVersions 1.6.6 to 1.7.1 are vulnerable to code execution. If you are running a vulnerable version, a malicious website owner could craft a page which executes arbitrary Python code on the machine that runs this script. This can only occur if the website that the user attempts to scrape has specifically prepared a page to exploit vulnerable versions of cfscrape.", - "cve": null, + "cve": "PVE-2021-34275", "id": "pyup.io-34275", "specs": [ ">=1.6.6,<=1.8" @@ -1756,7 +2314,7 @@ "cfstacks": [ { "advisory": "Cfstacks 0.4.4 upgrades PyAML to 4.2b1 (or later) to fix a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38388", "id": "pyup.io-38388", "specs": [ "<0.4.4" @@ -1764,10 +2322,21 @@ "v": "<0.4.4" } ], + "cg": [ + { + "advisory": "Cg 18.11.3 upgrades the insecure cryptography dependency.", + "cve": "PVE-2021-39614", + "id": "pyup.io-39614", + "specs": [ + "<18.11.3" + ], + "v": "<18.11.3" + } + ], "chanjo-report": [ { "advisory": "chanjo-report 2.4.0 removes a link to the \"index\" page from the report (security).", - "cve": null, + "cve": "PVE-2021-25648", "id": "pyup.io-25648", "specs": [ "<2.4.0" @@ -1775,10 +2344,21 @@ "v": "<2.4.0" } ], + "channels": [ + { + "advisory": "Channels 3.0.3 includes a fix for CVE-2020-35681. See also: .", + "cve": "CVE-2020-35681", + "id": "pyup.io-39368", + "specs": [ + ">=3.0.0,<3.0.3" + ], + "v": ">=3.0.0,<3.0.3" + } + ], "chaosloader": [ { "advisory": "Chaosloader 1.0.0 adds secure encrypted password to travis.yml.", - "cve": null, + "cve": "PVE-2021-37048", "id": "pyup.io-37048", "specs": [ "<1.0.0" @@ -1789,7 +2369,7 @@ "charm-tools": [ { "advisory": "Charm-tools 2.6.0 addresses security alerts from GitHub (#484).", - "cve": null, + "cve": "PVE-2021-37201", "id": "pyup.io-37201", "specs": [ "<2.6.0" @@ -1800,7 +2380,7 @@ "charmhelpers": [ { "advisory": "Charmhelpers 0.19.13 updates Keystone expectations to meet security guide (299).", - "cve": null, + "cve": "PVE-2021-37032", "id": "pyup.io-37032", "specs": [ "<0.19.13" @@ -1811,7 +2391,7 @@ "chartify": [ { "advisory": "Chartify 2.7.0 bumps the base Pillow dependency to avoid a version that's not secure.", - "cve": null, + "cve": "PVE-2021-38345", "id": "pyup.io-38345", "specs": [ "<2.7.0" @@ -1822,7 +2402,7 @@ "chatbot-ner": [ { "advisory": "For security reasons, chatbot-ner 0.5.8 updates requirements and adds a new version of Django upgrade.", - "cve": null, + "cve": "PVE-2021-38516", "id": "pyup.io-38516", "specs": [ "<0.5.8" @@ -1831,7 +2411,7 @@ }, { "advisory": "For security reasons, chatbot-ner 0.6.0 updates requirements and adds a new version of Django upgrade.", - "cve": null, + "cve": "PVE-2021-38515", "id": "pyup.io-38515", "specs": [ "<0.6.0" @@ -1842,7 +2422,7 @@ "cheetah": [ { "advisory": "cheetah 0.9.17rc1 removeS the use of temp files for handling imports with dynamic compilation. This removes a whole slew of issues, including a temp file security issue.", - "cve": null, + "cve": "PVE-2021-25649", "id": "pyup.io-25649", "specs": [ "<0.9.17rc1" @@ -1853,7 +2433,7 @@ "cheetah3": [ { "advisory": "Cheetah3 version 3.2.2 replaces the outdated and insecure ``mktemp`` with ``mkstemp``.", - "cve": null, + "cve": "PVE-2021-37134", "id": "pyup.io-37134", "specs": [ "<3.2.2" @@ -1864,7 +2444,7 @@ "cheroot": [ { "advisory": "Cheroot 6.3.2 introduces a HTTP 400 response to a malicious 'Content-Length' in the request headers.", - "cve": null, + "cve": "PVE-2021-39125", "id": "pyup.io-39125", "specs": [ "<6.3.2" @@ -1884,9 +2464,18 @@ } ], "chia-blockchain": [ + { + "advisory": "Consideration of the new consensus algorithm in chia-blockchain version 1.0beta19 resulted in a much higher security level against all attacks.", + "cve": "PVE-2021-39444", + "id": "pyup.io-39444", + "specs": [ + "<1.0b19" + ], + "v": "<1.0b19" + }, { "advisory": "Chia-blockchain 1.0beta10 includes various vulnerability fixes.", - "cve": null, + "cve": "PVE-2021-38700", "id": "pyup.io-38700", "specs": [ "<1.0beta10" @@ -1895,7 +2484,7 @@ }, { "advisory": "Node peers in chia-blockchain 1.0beta14 are gossiped between nodes with logic to keep connected nodes on disparate internet networks to partially protect from eclipse attacks.", - "cve": null, + "cve": "PVE-2021-38844", "id": "pyup.io-38844", "specs": [ "<1.0beta14" @@ -1904,7 +2493,7 @@ }, { "advisory": "Chia-blockchain 1.0beta8 removes the ability to pass in sk_seed to plotting. This increases security.", - "cve": null, + "cve": "PVE-2021-38582", "id": "pyup.io-38582", "specs": [ "<1.0beta8" @@ -1913,12 +2502,41 @@ }, { "advisory": "The Windows BLS Signature library in chia-blockchain 1.0beta9 uses libsodium for additional security. Additionally, this version includes various fixes for various node dependency security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38629", "id": "pyup.io-38629", "specs": [ "<1.0beta9" ], "v": "<1.0beta9" + }, + { + "advisory": "Chia-blockchain 1.0rc5 updates the 'aiohttp' dependency to 3.7.4 to address a low severity [security issue] (CVE-2021-21330).", + "cve": "CVE-2021-21330", + "id": "pyup.io-39672", + "specs": [ + "<1.0rc5" + ], + "v": "<1.0rc5" + }, + { + "advisory": "Chia-blockchain 1.0rc6 improves defense against many DDoS attacks by rate limiting for the full node. It also changes 'chia keys add' command to take secret words a prompt on the command line or stdin instead of command line arguments.", + "cve": "PVE-2021-39703", + "id": "pyup.io-39703", + "specs": [ + "<1.0rc6" + ], + "v": "<1.0rc6" + } + ], + "chiavdf": [ + { + "advisory": "Chiavdf 1.0 includes a fix to prevent potential grinding attacks.", + "cve": "PVE-2021-39691", + "id": "pyup.io-39691", + "specs": [ + "<1.0" + ], + "v": "<1.0" } ], "cinder": [ @@ -1946,7 +2564,7 @@ "cipher.googlepam": [ { "advisory": "In cipher.googlepam before 1.5.1 do not use the same cache key for all users. Previously when one user logged in successfully, others could not log in using their own passwords -- but the first user could now use her password to log in as anyone else.", - "cve": null, + "cve": "PVE-2021-25652", "id": "pyup.io-25652", "specs": [ "<1.5.1" @@ -1957,7 +2575,7 @@ "circup": [ { "advisory": "Circup 0.0.6 includes an unspecified security fix.", - "cve": null, + "cve": "PVE-2021-37936", "id": "pyup.io-37936", "specs": [ "<0.0.6" @@ -1965,10 +2583,21 @@ "v": "<0.0.6" } ], + "ck": [ + { + "advisory": "Ck 1.7.1 fixes a server vulnerability (action with ; can run various CMD commands).", + "cve": "PVE-2021-40221", + "id": "pyup.io-40221", + "specs": [ + "<1.7.1" + ], + "v": "<1.7.1" + } + ], "ckan": [ { "advisory": "ckan 1.5.1 fixes a security issue affecting CKAN v1.5 and before.", - "cve": null, + "cve": "PVE-2021-34556", "id": "pyup.io-34556", "specs": [ "<1.5.1" @@ -1977,18 +2606,27 @@ }, { "advisory": "ckan 1.8.1 fixes possible XSS vulnerability on html input.", - "cve": null, + "cve": "PVE-2021-34558", "id": "pyup.io-34558", "specs": [ "<1.8.1" ], "v": "<1.8.1" + }, + { + "advisory": "Ckan 2.6.9 fixes a code injection issue in the autocomplete module. See .", + "cve": "PVE-2021-39613", + "id": "pyup.io-39613", + "specs": [ + "<2.6.9" + ], + "v": "<2.6.9" } ], "clam": [ { "advisory": "clam 0.9.10 contains security fixes, better protection against possible code injection.", - "cve": null, + "cve": "PVE-2021-25653", "id": "pyup.io-25653", "specs": [ "<0.9.10" @@ -1997,7 +2635,7 @@ }, { "advisory": "clam 0.9.11 contains unknown security fixes in dispatcher.", - "cve": null, + "cve": "PVE-2021-25654", "id": "pyup.io-25654", "specs": [ "<0.9.11" @@ -2019,7 +2657,7 @@ "client-sdk-python": [ { "advisory": "Client-sdk-python 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", - "cve": null, + "cve": "PVE-2021-37584", "id": "pyup.io-37584", "specs": [ "<4.7.0" @@ -2027,10 +2665,41 @@ "v": "<4.7.0" } ], + "clipster-desktop": [ + { + "advisory": "Clipster-desktop 0.3.0 includes various improvements to make the host more secure:\r\n* All clips are encrypted locally in the client before transmission to the server. \r\n* Server host can't decrypt clips: it never learns the users' password.\r\n* Password is not stored in cleartext anymore. Instead password hash is used.", + "cve": "PVE-2021-39388", + "id": "pyup.io-39388", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "cliquery": [ + { + "advisory": "Cliquery 1.10.0 updates the 'lxml' dependency from 4.6.2 to 4.6.3 to fix a security vulnerability.", + "cve": "PVE-2021-40090", + "id": "pyup.io-40090", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + }, + { + "advisory": "Cliquery 1.9.3 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.", + "cve": "PVE-2021-39423", + "id": "pyup.io-39423", + "specs": [ + "<1.9.3" + ], + "v": "<1.9.3" + } + ], "cloudinary": [ { "advisory": "cloudinary before 1.0.21 is vulnerable to an XSS attack on cloudinary_cors.html.", - "cve": null, + "cve": "PVE-2021-34603", "id": "pyup.io-34603", "specs": [ "<1.0.21" @@ -2041,7 +2710,7 @@ "cloudmarker": [ { "advisory": "Cloudmarker 0.0.5 adds the `FirewallRuleEvent` plugin to detect insecure firewall rules.", - "cve": null, + "cve": "PVE-2021-37138", "id": "pyup.io-37138", "specs": [ "<0.0.5" @@ -2052,7 +2721,7 @@ "cmdlr": [ { "advisory": "cmdlr 4.1.0 resists malicious js attack in `run_in_nodejs`", - "cve": null, + "cve": "PVE-2021-36854", "id": "pyup.io-36854", "specs": [ "<4.1.0" @@ -2063,7 +2732,7 @@ "cmsplugin-filer": [ { "advisory": "cmsplugin-filer 1.0.0 contains an unknown XSS fix.", - "cve": null, + "cve": "PVE-2021-25656", "id": "pyup.io-25656", "specs": [ "<1.0.0" @@ -2074,7 +2743,7 @@ "cnx-publishing": [ { "advisory": "Cnx-publishing 0.17.6 bumps urllib3 for a security fix.", - "cve": null, + "cve": "PVE-2021-38128", "id": "pyup.io-38128", "specs": [ "<0.17.6" @@ -2096,7 +2765,7 @@ "cockroachdb": [ { "advisory": "cockroachdb 0.3.2 updated urllib3 to remove security vulnerability.", - "cve": null, + "cve": "PVE-2021-37264", "id": "pyup.io-37264", "specs": [ "<0.3.2" @@ -2107,7 +2776,7 @@ "codalab": [ { "advisory": "codalab before 0.2.33 was using a version of gunicorn that had security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-36386", "id": "pyup.io-36386", "specs": [ "<0.2.33" @@ -2116,18 +2785,27 @@ }, { "advisory": "Codalab 0.5.12 fixes a vulnerability. No description of the vulnerability was included.", - "cve": null, + "cve": "PVE-2021-38927", "id": "pyup.io-38927", "specs": [ "<0.5.12" ], "v": "<0.5.12" + }, + { + "advisory": "Codalab 0.5.33 includes a fix for some front-end vulnerabilities (with `npm audit fix`).", + "cve": "PVE-2021-39434", + "id": "pyup.io-39434", + "specs": [ + "<0.5.33" + ], + "v": "<0.5.33" } ], "codecov": [ { "advisory": "Codecov 2.0.16 fixes a reported command injection vulnerability.", - "cve": null, + "cve": "PVE-2021-37934", "id": "pyup.io-37934", "specs": [ "<2.0.16" @@ -2136,7 +2814,7 @@ }, { "advisory": "Codecov 2.0.17 fixes a reported command injection vulnerability.", - "cve": null, + "cve": "PVE-2021-38075", "id": "pyup.io-38075", "specs": [ "<2.0.17" @@ -2144,10 +2822,21 @@ "v": "<2.0.17" } ], + "codeforcesapipy": [ + { + "advisory": "Codeforcesapipy 2.0.8 updates the 'lxml' dependency to 4.6.3 to resolve security issues.", + "cve": "PVE-2021-40099", + "id": "pyup.io-40099", + "specs": [ + "<2.0.8" + ], + "v": "<2.0.8" + } + ], "coinbasepro": [ { "advisory": "coinbasepro 0.1.0 updates requests version to >=2.20.0 to address security vulnerability.", - "cve": null, + "cve": "PVE-2021-36975", "id": "pyup.io-36975", "specs": [ "<0.1.0" @@ -2158,7 +2847,7 @@ "coincurve": [ { "advisory": "coincurve before 8.0.0 does not support the new GitHub and PyPI security requirements. \r\nBinary wheels on macOS for Python 3.5 now uses Homebrew Python for compilation due to new security requirements.", - "cve": null, + "cve": "PVE-2021-36299", "id": "pyup.io-36299", "specs": [ "<8.0.0" @@ -2166,10 +2855,21 @@ "v": "<8.0.0" } ], + "coinstac": [ + { + "advisory": "Coinstac 5.2.1 includes various security fixes and package updates.", + "cve": "PVE-2021-40091", + "id": "pyup.io-40091", + "specs": [ + "<5.2.1" + ], + "v": "<5.2.1" + } + ], "colander": [ { "advisory": "colander 1.7.0 - The URL validator regex has been updated to no longer be vulnerable to a\r\n catastrophic backtracking that would have led to an infinite loop.", - "cve": null, + "cve": "PVE-2021-36856", "id": "pyup.io-36856", "specs": [ "<1.7.0" @@ -2180,7 +2880,7 @@ "collective-contact-core": [ { "advisory": "collective-contact-core before 1.10", - "cve": null, + "cve": "PVE-2021-36089", "id": "pyup.io-36089", "specs": [ "<1.10" @@ -2191,7 +2891,7 @@ "collective-noticeboard": [ { "advisory": "collective-noticeboard before 0.7.1 has a security issue, anonymous users could modify notes positions.", - "cve": null, + "cve": "PVE-2021-35879", "id": "pyup.io-35879", "specs": [ "<0.7.1" @@ -2202,7 +2902,7 @@ "collective.contact.core": [ { "advisory": "collective.contact.core 1.10 fixes a security issue related to AddContact.", - "cve": null, + "cve": "PVE-2021-25657", "id": "pyup.io-25657", "specs": [ "<1.10" @@ -2213,7 +2913,7 @@ "collective.documentviewer": [ { "advisory": "collective.documentviewer 1.5.1 fixes a security issue on file resources.", - "cve": null, + "cve": "PVE-2021-25658", "id": "pyup.io-25658", "specs": [ "<1.5.1" @@ -2224,7 +2924,7 @@ "collective.easyform": [ { "advisory": "The modeleditor in collective.easyform 3.0.5 no longer resolves entities, and it removes processing instructions. This increases the security.", - "cve": null, + "cve": "PVE-2021-39144", "id": "pyup.io-39144", "specs": [ "<3.0.5" @@ -2235,7 +2935,7 @@ "collective.js.datatables": [ { "advisory": "collective.js.datatables 4.1.1 updates Datatables to 1.10.11, due to a XSS vulnerability in 1.10.4.", - "cve": null, + "cve": "PVE-2021-25659", "id": "pyup.io-25659", "specs": [ "<4.1.1" @@ -2246,7 +2946,7 @@ "collective.noticeboard": [ { "advisory": "collective.noticeboard 0.7.1 fixes a security issue, anonymous users could modify notes positions.", - "cve": null, + "cve": "PVE-2021-25660", "id": "pyup.io-25660", "specs": [ "<0.7.1" @@ -2257,7 +2957,7 @@ "collective.portlet.twitter": [ { "advisory": "collective.portlet.twitter 1.0b3 fixes a potential XSS (arbitrary injection) issue by escaping and quoting all attributes being set on the rendered portlet.", - "cve": null, + "cve": "PVE-2021-25661", "id": "pyup.io-25661", "specs": [ "<1.0b3" @@ -2268,7 +2968,7 @@ "collective.tablepage": [ { "advisory": "collective.tablepage 0.3 fixes a security problem: data inside text cells were transformed to HTML without any check.", - "cve": null, + "cve": "PVE-2021-25664", "id": "pyup.io-25664", "specs": [ "<0.3" @@ -2279,7 +2979,7 @@ "collective.xmpp.chat": [ { "advisory": "collective.xmpp.chat 0.3.1 updates convers.js to 0.6.3 which includes an important security fix.", - "cve": null, + "cve": "PVE-2021-25666", "id": "pyup.io-25666", "specs": [ "<0.3.1" @@ -2290,7 +2990,7 @@ "collins-client": [ { "advisory": "Collins 2.1.0 has a very important security patch.\r\n\r\nCollins has a feature that allows you to [encrypt certain attributes](http://tumblr.github.io/collins/configuration.htmlfeatures) on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.\r\n\r\n*It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.*\r\n\r\nThe severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.\r\n\r\nIf, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.\r\n\r\nThis change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted `feature.canWriteEncryptedTags` permission. We have also renamed `feature.canSeePasswords` to `feature.canSeeEncryptedTags`, but collins will continue to respect the value of `feature.canSeePasswords` if `feature.canSeeEncryptedTags` is not set. Once `feature.canSeeEncryptedTags` is set, collins will ignore the value of `feature.canSeePasswords`.", - "cve": null, + "cve": "PVE-2021-25667", "id": "pyup.io-25667", "specs": [ "<2.1.0" @@ -2301,7 +3001,7 @@ "colonyscanalyser": [ { "advisory": "Colonyscanalyser 0.2.0 adds snyk security checks for dependencies.", - "cve": null, + "cve": "PVE-2021-37635", "id": "pyup.io-37635", "specs": [ "<0.2.0" @@ -2309,6 +3009,37 @@ "v": "<0.2.0" } ], + "compliance-trestle": [ + { + "advisory": "Compliance-trestle 0.15.0 upgrades the 'pydantic' to 1.8.2 for an security issue.", + "cve": "PVE-2021-40566", + "id": "pyup.io-40566", + "specs": [ + "<0.15.0" + ], + "v": "<0.15.0" + } + ], + "concrete-datastore": [ + { + "advisory": "Concrete-datastore 1.22.0 adds useful checks to the url_format to avoid template injections.", + "cve": "PVE-2021-39449", + "id": "pyup.io-39449", + "specs": [ + "<1.22.0" + ], + "v": "<1.22.0" + }, + { + "advisory": "Concrete-datastore 1.23.0 adds checks on the url_format for reset password view to avoid template injections.", + "cve": "PVE-2021-39709", + "id": "pyup.io-39709", + "specs": [ + "<1.23.0" + ], + "v": "<1.23.0" + } + ], "conference-scheduler-cli": [ { "advisory": "In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.", @@ -2323,7 +3054,7 @@ "confidant": [ { "advisory": "Confidant 1.1.13 includes a security fix. It was discovered when adding tests after a refactor of some of the KMS authentication code that confidant wasn't properly checking the expiration of KMS auth tokens. If tokens were able to be exfiltrated from a service, they could be used indefinitely. Also, any tokens that are expired will now correctly fail to authenticate.", - "cve": null, + "cve": "PVE-2021-26670", "id": "pyup.io-26670", "specs": [ "<1.1.13" @@ -2332,7 +3063,7 @@ }, { "advisory": "confidant 1.1.14 contains a security fix: While preparing for the 1.1 stable release Lyft found a KMS authentication vulnerability in the unreleased 1.1 branch while performing an audit of the code. The vulnerability was introduced while adding the scoped auth key feature (for limiting authentication keys and services to specific AWS accounts), where the key was not properly checked after decryption. This check is an additional verification to add additional safety on-top of the IAM policy of your KMS keys. If IAM policy allows users to use KMS keys without limits on encryption context, a KMS key that wasn't intended to be used for auth, could be used for auth.", - "cve": null, + "cve": "PVE-2021-25668", "id": "pyup.io-25668", "specs": [ "<1.1.14" @@ -2359,7 +3090,7 @@ }, { "advisory": "In confidant 5.0.0, requirements have been updated to resolve some reported security vulnerabilities in a few of the frozen requirements. A library affecting user sessions was upgraded which will cause users to be logged out after upgrade, which means if you're doing a rolling upgrade, that during the upgrade, you may have users that seemingly randomly get logged out. After a finished upgrade, users should only be logged out once, if they're currently logged in.", - "cve": null, + "cve": "PVE-2021-37471", "id": "pyup.io-37471", "specs": [ "<5.0.0" @@ -2368,7 +3099,7 @@ }, { "advisory": "Confidant 6.3.0 adds support for keeping track of when credentials should be rotated. It therefore adds three new fields to the Credential model, two of which improve the security (`last_decrypted_date` and `last_rotation_date`). The former explicitly stores when someone viewed a credential. Certain credentials can potentially be highly vulnerable and could benefit from being rotated the moment the credential pair is viewed. The latter stores when a credential was last rotated. Some credentials might need to periodically be rotated for security purposes.", - "cve": null, + "cve": "PVE-2021-38560", "id": "pyup.io-38560", "specs": [ "<6.3.0" @@ -2379,7 +3110,7 @@ "confidence": [ { "advisory": "confidence before 0.4 has a security vulnerability from using ``yaml.load``. \r\nconfidence >=0.4 now uses ``yaml.safe_load``", - "cve": null, + "cve": "PVE-2021-36308", "id": "pyup.io-36308", "specs": [ "<0.4" @@ -2401,7 +3132,7 @@ "confluent-kafka": [ { "advisory": "Confluent-kafka 1.1.0 securely clears the private key data from memory after last use.", - "cve": null, + "cve": "PVE-2021-37508", "id": "pyup.io-37508", "specs": [ "<1.1.0" @@ -2409,7 +3140,7 @@ "v": "<1.1.0" }, { - "advisory": "Confluent-kafka 1.3.0 upgrades builtin lz4 to 1.9.2. See https://github.com/edenhill/librdkafka/issues/2598 and CVE-2019-17543.", + "advisory": "Confluent-kafka 1.3.0 includes a fix for CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", "cve": "CVE-2019-17543", "id": "pyup.io-38072", "specs": [ @@ -2419,7 +3150,7 @@ }, { "advisory": "Confluent-kafka 1.4.0 includes two security issues in the SASL SCRAM protocol handler:\r\n * The client nonce, which is expected to be a random string, was a static string.\r\n * If `sasl.username` and `sasl.password` contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.", - "cve": null, + "cve": "PVE-2021-38165", "id": "pyup.io-38165", "specs": [ "<1.4.0" @@ -2430,7 +3161,7 @@ "conn-check": [ { "advisory": "conn-check 1.0.18 ensures pyOpenSSL is always used instead of the ssl modules, see https://urllib3.readthedocs.org/en/latest/security.htmlpyopenssl.", - "cve": null, + "cve": "PVE-2021-25669", "id": "pyup.io-25669", "specs": [ "<1.0.18" @@ -2441,7 +3172,7 @@ "container-service-extension": [ { "advisory": "container-service-extension 1.2.5 adds K8s vulnerability patching", - "cve": null, + "cve": "PVE-2021-36876", "id": "pyup.io-36876", "specs": [ "<1.2.5" @@ -2450,7 +3181,7 @@ }, { "advisory": "Container-service-extension 2.5.0b1 updates the hardcoded_password_string: false positives and test environment password strings marked not vulnerable.", - "cve": null, + "cve": "PVE-2021-37529", "id": "pyup.io-37529", "specs": [ "<2.5.0b1" @@ -2461,7 +3192,7 @@ "contentful": [ { "advisory": "contentful 1.11.3 updates `requests` version due to a vulnerability found in versions `2.19` and below", - "cve": null, + "cve": "PVE-2021-36633", "id": "pyup.io-36633", "specs": [ "<1.11.3" @@ -2481,7 +3212,7 @@ "contentful-management": [ { "advisory": "contentful-management 2.5.0 updates `requests` version due to a vulnerability found in versions `2.19` and below.", - "cve": null, + "cve": "PVE-2021-36599", "id": "pyup.io-36599", "specs": [ "<2.5.0" @@ -2492,7 +3223,7 @@ "contestms": [ { "advisory": "contestms 1.2.0 fixes several security bugs around an unsafe use of isolate. These won't be backported to 1.1, so make sure you update.", - "cve": null, + "cve": "PVE-2021-34249", "id": "pyup.io-34249", "specs": [ "<1.2.0" @@ -2503,7 +3234,7 @@ "cookie-manager": [ { "advisory": "Cookie-manager 1.0.3 bumps dependency versions to fix a security issue.", - "cve": null, + "cve": "PVE-2021-38106", "id": "pyup.io-38106", "specs": [ "<1.0.3" @@ -2512,18 +3243,27 @@ }, { "advisory": "Cookie-manager 1.1.0 bumps Bleach to patch a vulnerability.", - "cve": null, + "cve": "PVE-2021-38153", "id": "pyup.io-38153", "specs": [ "<1.1.0" ], "v": "<1.1.0" + }, + { + "advisory": "Cookie-manager 1.2.1 fixes a security vulnerability discovered and patched in a dependency. See Bleach 3.3.0 for further details.", + "cve": "PVE-2021-40165", + "id": "pyup.io-40165", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" } ], "cookiecutter": [ { "advisory": "Cookiecutter 0.1.0 fixes insecure gitlab_token retrieval - see: https://github.com/NathanUrwin/cookiecutter-git/issues/6", - "cve": null, + "cve": "PVE-2021-34683", "id": "pyup.io-34683", "specs": [ "<0.1.0" @@ -2532,7 +3272,7 @@ }, { "advisory": "Cookiecutter 0.3.1 updates Pillow version to 3.2.0 (security fix).", - "cve": null, + "cve": "PVE-2021-27445", "id": "pyup.io-27445", "specs": [ "<0.3.1" @@ -2541,7 +3281,7 @@ }, { "advisory": "Cookiecutter 1.1.0 sets explicitly the list of allowed hosts for security reasons.", - "cve": null, + "cve": "PVE-2021-37672", "id": "pyup.io-37672", "specs": [ "<1.1.0" @@ -2549,10 +3289,32 @@ "v": "<1.1.0" } ], + "coordination-network-toolkit": [ + { + "advisory": "Coordination-network-toolkit 1.0.2 includes a security patch to the 'urllib3' among other dependency updates.", + "cve": "PVE-2021-40624", + "id": "pyup.io-40624", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + } + ], + "cortex": [ + { + "advisory": "cortex before 0.32.0", + "cve": "PVE-2021-40128", + "id": "pyup.io-40128", + "specs": [ + "<0.32.0" + ], + "v": "<0.32.0" + } + ], "cosmos-wfm": [ { "advisory": "cosmos-wfm before 2.1.1 is vulnerable to an attack where malicious hackers can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", - "cve": null, + "cve": "PVE-2021-34181", "id": "pyup.io-34181", "specs": [ "<2.1.1" @@ -2560,10 +3322,21 @@ "v": "<2.1.1" } ], + "coverage": [ + { + "advisory": "Coverage 6.0b1 starts to use a modern hash algorithm (sha256) when fingerprinting for high-security environments.", + "cve": "PVE-2021-41002", + "id": "pyup.io-41002", + "specs": [ + "<6.0b1" + ], + "v": "<6.0b1" + } + ], "coveralls": [ { "advisory": "coveralls 0.1.1 removes repo_token from verbose output for security reasons.", - "cve": null, + "cve": "PVE-2021-25671", "id": "pyup.io-25671", "specs": [ "<0.1.1" @@ -2574,7 +3347,7 @@ "cplay-ng": [ { "advisory": "cplay-ng 1.50 fixes insecure /tmp handling.", - "cve": null, + "cve": "PVE-2021-25672", "id": "pyup.io-25672", "specs": [ "<1.50" @@ -2582,10 +3355,21 @@ "v": "<1.50" } ], + "crate-docs-theme": [ + { + "advisory": "Crate-docs-theme 0.13.0 updates/removes Bootstrap and jQuery packages (nine vulnerabilities detected).", + "cve": "PVE-2021-39529", + "id": "pyup.io-39529", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + } + ], "creavel": [ { "advisory": "creavel before 0.11.0 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25673", "id": "pyup.io-25673", "specs": [ "<0.11.0" @@ -2594,7 +3378,7 @@ }, { "advisory": "creavel 0.14.0 fixes jinja2 security by using SandboxedEnvironment.", - "cve": null, + "cve": "PVE-2021-25674", "id": "pyup.io-25674", "specs": [ "<0.14.0" @@ -2605,7 +3389,7 @@ "credstash": [ { "advisory": "credstash 1.16.0 updates to pyyaml>=4.2b1 due to security vulnerability in older versions", - "cve": null, + "cve": "PVE-2021-37852", "id": "pyup.io-37852", "specs": [ "<1.16.0" @@ -2616,7 +3400,7 @@ "creopyson": [ { "advisory": "Creopyson 0.4.2 modifies the pipenv config for the bleach security alert.", - "cve": null, + "cve": "PVE-2021-37964", "id": "pyup.io-37964", "specs": [ "<0.4.2" @@ -2627,7 +3411,7 @@ "cromwell-tools": [ { "advisory": "cromwell-tools 1.0.0 updates requests to avoid security issues.", - "cve": null, + "cve": "PVE-2021-36659", "id": "pyup.io-36659", "specs": [ "<1.0.0" @@ -2638,7 +3422,7 @@ "crossbar": [ { "advisory": "In crossbar before 0.15.0 if the `allowedOrigins` websocket option was set, the resulting matching was insufficient and would allow more origins than intended.", - "cve": null, + "cve": "PVE-2021-25675", "id": "pyup.io-25675", "specs": [ "<0.15.0" @@ -2647,18 +3431,27 @@ }, { "advisory": "crossbar 0.6.4 fixes a WAMP-CRA timing attack very, very unlikely to be exploitable.", - "cve": null, + "cve": "PVE-2021-25676", "id": "pyup.io-25676", "specs": [ "<0.6.4" ], "v": "<0.6.4" + }, + { + "advisory": "Crossbar 20.12.3 fixes a dependency on Autobahn v20.12.3, which in turn fixes a potential security issue when enabling the Web status page ('enable_webstatus') on WebSocket-WAMP listening transports.", + "cve": "PVE-2021-39329", + "id": "pyup.io-39329", + "specs": [ + "<20.12.3" + ], + "v": "<20.12.3" } ], "crypt": [ { "advisory": "crypt is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34981", "id": "pyup.io-34981", "specs": [ ">0", @@ -2670,7 +3463,7 @@ "cryptacular": [ { "advisory": "crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.", - "cve": null, + "cve": "PVE-2021-25677", "id": "pyup.io-25677", "specs": [ "<1.2" @@ -2678,10 +3471,21 @@ "v": "<1.2" } ], + "crypto-candlesticks": [ + { + "advisory": "Crypto-candlesticks 0.1.5 fixes a vulnerability in the 'jinja2' dependency.", + "cve": "PVE-2021-39697", + "id": "pyup.io-39697", + "specs": [ + "<0.1.5" + ], + "v": "<0.1.5" + } + ], "cryptography": [ { "advisory": "cryptography 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", - "cve": null, + "cve": "PVE-2021-25678", "id": "pyup.io-25678", "specs": [ "<0.9.1" @@ -2690,7 +3494,7 @@ }, { "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", - "cve": null, + "cve": "PVE-2021-25679", "id": "pyup.io-25679", "specs": [ "<1.0.2" @@ -2706,6 +3510,24 @@ ], "v": "<1.5.3" }, + { + "advisory": "Cryptography 3.3 no longer allows loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.", + "cve": "PVE-2021-39252", + "id": "pyup.io-39252", + "specs": [ + "<3.3" + ], + "v": "<3.3" + }, + { + "advisory": "In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. See: CVE-2020-36242.", + "cve": "CVE-2020-36242", + "id": "pyup.io-39606", + "specs": [ + "<3.3.2" + ], + "v": "<3.3.2" + }, { "advisory": "Cryptography 3.2 was released with the warning that its maintainers became aware of a Bleichenbacher vulnerability that they were only partly able to mitigate. See: CVE-2020-25659.", "cve": "CVE-2020-25659", @@ -2728,7 +3550,7 @@ "cryptography-vectors": [ { "advisory": "cryptography-vectors 0.9.1 fixes a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.", - "cve": null, + "cve": "PVE-2021-25681", "id": "pyup.io-25681", "specs": [ "<0.9.1" @@ -2737,7 +3559,7 @@ }, { "advisory": "The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia K\u00e4sper (Google Security Team)** for the report.", - "cve": null, + "cve": "PVE-2021-25682", "id": "pyup.io-25682", "specs": [ "<1.0.2" @@ -2757,7 +3579,7 @@ "cssutils": [ { "advisory": "In cssutils before 0.9.6a2 comments added by ``cssutils.resolveImports`` only use the import rules' href and not the absolute href of the referenced sheets anymore (might have been a possible security hole when showing a full local path to a sheet in a combined but not minified sheet)", - "cve": null, + "cve": "PVE-2021-25684", "id": "pyup.io-25684", "specs": [ "<0.9.6a2" @@ -2765,6 +3587,17 @@ "v": "<0.9.6a2" } ], + "cstar": [ + { + "advisory": "Cstar 0.5.0 fixes a security problem in a dependency (spotify). See: .", + "cve": "PVE-2021-39224", + "id": "pyup.io-39224", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], "cumin": [ { "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in Cumin before r5238 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) widgets or (2) pages.", @@ -2779,7 +3612,7 @@ "cupy": [ { "advisory": "`cupy.load` in cupy 7.0.0b2 specifies `allow_pickle=False` by default to follow the security fix made in NumPy 1.16.3 (see https://github.com/numpy/numpy/pull/13359 and https://github.com/cupy/cupy/pull/2290). Most users should not be affected by this change; users loading `ndarray` serialized using pickle may need to explicitly specify `allow_pickle=True`.", - "cve": null, + "cve": "PVE-2021-37395", "id": "pyup.io-37395", "specs": [ "<7.0.0b2" @@ -2787,76 +3620,200 @@ "v": "<7.0.0b2" } ], - "datacube": [ + "dact": [ { - "advisory": "datacube 1.6.2 is a Patch release to build a new Docker container, to resolve an upstream security bug.", - "cve": null, - "id": "pyup.io-36835", + "advisory": "Dact 1.1.1 includes a few security patches.", + "cve": "PVE-2021-39403", + "id": "pyup.io-39403", "specs": [ - "<1.6.2" + "<1.1.1" ], - "v": "<1.6.2" + "v": "<1.1.1" } ], - "datasette": [ + "dash": [ { - "advisory": "Datasette 0.46 contains a security fix related to authenticated writable canned queries. CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker.", - "cve": null, - "id": "pyup.io-38671", + "advisory": "Dash 1.20.0 starts to validate callback request 'outputs' vs. 'output' to avoid a perceived security issue.", + "cve": "PVE-2021-40183", + "id": "pyup.io-40183", "specs": [ - "<0.46" + "<1.20.0" ], - "v": "<0.46" - } - ], - "datasette-graphql": [ + "v": "<1.20.0" + }, { - "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .", - "cve": null, - "id": "pyup.io-39174", + "advisory": "Dash 2.2.0 includes a security fix.", + "cve": "PVE-2021-40962", + "id": "pyup.io-40962", "specs": [ - "<1.2" + "<2.2.0" ], - "v": "<1.2" + "v": "<2.2.0" } ], - "datasette-indieauth": [ + "dash-bio": [ { - "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.", - "cve": null, - "id": "pyup.io-39164", + "advisory": "Dash-bio 0.5.1 fixes an abandoned resource vulnerability with CircosJS fork.", + "cve": "PVE-2021-39411", + "id": "pyup.io-39411", "specs": [ - "<1.1" + "<0.5.1" ], - "v": "<1.1" + "v": "<0.5.1" } ], - "datasette-insert": [ + "dash-io": [ { - "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.", - "cve": null, - "id": "pyup.io-38644", + "advisory": "Dash-io 0.0.1.post1 removes the 'Pickle' library for security reason.", + "cve": "PVE-2021-40961", + "id": "pyup.io-40961", "specs": [ - "<0.6" + "<0.0.1.post1" ], - "v": "<0.6" + "v": "<0.0.1.post1" } ], - "datasette-seaborn": [ + "datacube": [ { - "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.", - "cve": null, - "id": "pyup.io-38782", + "advisory": "datacube 1.6.2 is a Patch release to build a new Docker container, to resolve an upstream security bug.", + "cve": "PVE-2021-36835", + "id": "pyup.io-36835", "specs": [ - "==0.1a0" + "<1.6.2" ], - "v": "==0.1a0" + "v": "<1.6.2" } ], - "dateable-chronos": [ + "datagristle": [ + { + "advisory": "Datagristle 0.1.7 bumps versions on dependent modules to eliminate vulnerabilities.", + "cve": "PVE-2021-40237", + "id": "pyup.io-40237", + "specs": [ + "<0.1.7" + ], + "v": "<0.1.7" + } + ], + "datajob": [ + { + "advisory": "Datajob 0.6.0 includes a patch to shell out commands more securely.", + "cve": "PVE-2021-40144", + "id": "pyup.io-40144", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], + "datasette": [ + { + "advisory": "Datasette 0.46 contains a security fix related to authenticated writable canned queries. CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker.", + "cve": "PVE-2021-38671", + "id": "pyup.io-38671", + "specs": [ + "<0.46" + ], + "v": "<0.46" + }, + { + "advisory": "Datasette 0.55 starts to use Python 3.7.10 in official Docker image, applying the latest security fix.", + "cve": "PVE-2021-40541", + "id": "pyup.io-40541", + "specs": [ + "<0.55" + ], + "v": "<0.55" + }, + { + "advisory": "Datasette 0.56.1 fixes a reflected cross-site scripting security hole with the '?_trace=1' feature. You should upgrade to this version, or to the 'Datasette' 0.57, as soon as possible.", + "cve": "PVE-2021-40619", + "id": "pyup.io-40619", + "specs": [ + "<0.56.1" + ], + "v": "<0.56.1" + }, + { + "advisory": "Datasette 0.57 fixes a reflected cross-site scripting security hole with the '?_trace=1' feature. You should upgrade to this version, or to the 'Datasette' 0.56.1, as soon as possible.", + "cve": "PVE-2021-40618", + "id": "pyup.io-40618", + "specs": [ + "<0.57" + ], + "v": "<0.57" + } + ], + "datasette-auth-passwords": [ + { + "advisory": "Datasette-auth-passwords 0.4.1 now depends on the 'datasette' >=0.56.1, to avoid a security vulnerability.", + "cve": "PVE-2021-40620", + "id": "pyup.io-40620", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + } + ], + "datasette-css-properties": [ + { + "advisory": "Datasette-css-properties 0.2 makes the '.css' pages send the 'x-content-type-options: nosniff' header to protect against browsers incorrectly rendering the CSS as HTML which could be an XSS security hole.", + "cve": "PVE-2021-39422", + "id": "pyup.io-39422", + "specs": [ + "<0.2" + ], + "v": "<0.2" + } + ], + "datasette-graphql": [ + { + "advisory": "Satasette-graphql before 1.2 included a plugin that could expose schema details of databases that should not be visible, though not their actual row content. See: .", + "cve": "PVE-2021-39174", + "id": "pyup.io-39174", + "specs": [ + "<1.2" + ], + "v": "<1.2" + } + ], + "datasette-indieauth": [ + { + "advisory": "Datasette-indieauth before 1.1 trusts the \"me\" field returned by the authorization server without verifying it.", + "cve": "PVE-2021-39164", + "id": "pyup.io-39164", + "specs": [ + "<1.1" + ], + "v": "<1.1" + } + ], + "datasette-insert": [ + { + "advisory": "Datasette-insert 0.6 is locked down by default. This plugin no longer defaults to allowing all, reducing the risk that someone may deploy it without sufficient security.", + "cve": "PVE-2021-38644", + "id": "pyup.io-38644", + "specs": [ + "<0.6" + ], + "v": "<0.6" + } + ], + "datasette-seaborn": [ + { + "advisory": "The maintainers or the datasette-seaborn package acknowledge that version 0.1a0 is buggy and probably not secure.", + "cve": "PVE-2021-38782", + "id": "pyup.io-38782", + "specs": [ + "==0.1a0" + ], + "v": "==0.1a0" + } + ], + "dateable-chronos": [ { "advisory": "dateable-chronos before 0.7.2 fixed a XSS vulnerability in the get_view_day method.", - "cve": null, + "cve": "PVE-2021-35988", "id": "pyup.io-35988", "specs": [ "<0.7.2" @@ -2867,7 +3824,7 @@ "dateable.chronos": [ { "advisory": "dateable.chronos 0.7.2 fixes a XSS vulnerability in the get_view_day method.", - "cve": null, + "cve": "PVE-2021-25685", "id": "pyup.io-25685", "specs": [ "<0.7.2" @@ -2878,7 +3835,7 @@ "datera-cinder": [ { "advisory": "Datera-cinder 2018.10.30.0 updates the required requests version to >=2.20.0 because of a security vulnerability in <=2.19.X.", - "cve": null, + "cve": "PVE-2021-37204", "id": "pyup.io-37204", "specs": [ "<2018.10.30.0" @@ -2886,10 +3843,30 @@ "v": "<2018.10.30.0" } ], + "dawgie": [ + { + "advisory": "Dawgie 1.2.3 includes a vulnerability fix.", + "cve": "PVE-2021-40122", + "id": "pyup.io-40122", + "specs": [ + "<1.2.3" + ], + "v": "<1.2.3" + }, + { + "advisory": "Dawgie 1.2.9 adds clean methods to limit malicious code.", + "cve": "PVE-2021-40121", + "id": "pyup.io-40121", + "specs": [ + "<1.2.9" + ], + "v": "<1.2.9" + } + ], "ddtrace": [ { "advisory": "ddtrace 0.11.0 removes the `sql.query` tag from SQL spans, so that the content is properly obfuscated in the Agent. This security fix is required to prevent wrong data collection of reported SQL queries. This issue impacts only MySQL integrations and NOT `psycopg2` or `sqlalchemy` while using the PostgreSQL driver.", - "cve": null, + "cve": "PVE-2021-35790", "id": "pyup.io-35790", "specs": [ "<0.11.0" @@ -2900,7 +3877,7 @@ "debianized-jupyterhub": [ { "advisory": "debianized-jupyterhub 0.9.51 updates to release 0.9.5 + NB 5.7.7 (fix for Open Redirect vulnerability)", - "cve": null, + "cve": "PVE-2021-37002", "id": "pyup.io-37002", "specs": [ "<0.9.51" @@ -2911,7 +3888,7 @@ "debops": [ { "advisory": "Debops 0.8.0 installs upstream NodeSource APT packages by default. This is due to `no security support in Debian Stable`__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.", - "cve": null, + "cve": "PVE-2021-36371", "id": "pyup.io-36371", "specs": [ "<0.8.0" @@ -2920,7 +3897,7 @@ }, { "advisory": "Debops 1.0.0:\r\n\r\n- The :command:`lxc-prepare-ssh` script will read the public SSH keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's ``root`` account.\r\n\r\n- The :command:`lxc-new-unprivileged` script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:`sudo`. The default LXC configuration file used by the script can be configured in :file:`/etc/lxc/lxc.conf` configuration file.\r\n\r\n- (:ref:`debops.php` role) New APT signing keys` have been created for his Debian APT repository with PHP packages, due to security concerns. The :ref:`debops.php` role will remove the old APT GPG key and add the new one automatically. See: .", - "cve": null, + "cve": "PVE-2021-37159", "id": "pyup.io-37159", "specs": [ "<1.0.0" @@ -2929,7 +3906,7 @@ }, { "advisory": "The :command:`lxc-prepare-ssh` script in debops 1.1.0 will no longer install SSH keys from the LXC host ``root`` account on the LXC container ``root`` account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.", - "cve": null, + "cve": "PVE-2021-37404", "id": "pyup.io-37404", "specs": [ "<1.1.0" @@ -2937,7 +3914,7 @@ "v": "<1.1.0" }, { - "advisory": "In debops 1.2.0:\r\n- The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry`` Ansible modules is deprecated due to their insecure nature.\r\n- The CVE-2019-11043 vulnerability has been mitigated in the :command:`nginx` ``php`` and ``php5`` configuration templates. The mitigation is based on the `suggested workaround`__ from the PHP Bug Tracker.\r\n- A security patch for the CVE-2019-11043 vulnerability has been applied in the Nextcloud configuration for the :ref:`debops.nginx` role. The patch is based on the `fix suggested by upstream`.", + "advisory": "Debops 1.2.0 includes a security patch for the CVE-2019-11043: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.", "cve": "CVE-2019-11043", "id": "pyup.io-37733", "specs": [ @@ -2947,7 +3924,7 @@ }, { "advisory": "Debops 1.7.0 includes a change in its RoundCube configuration. RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", - "cve": null, + "cve": "PVE-2021-37732", "id": "pyup.io-37732", "specs": [ "<1.7.0" @@ -2956,7 +3933,7 @@ }, { "advisory": "RoundCube in debops 2.0.0 uses the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.", - "cve": null, + "cve": "PVE-2021-26403", "id": "pyup.io-26403", "specs": [ "<2.0.0" @@ -2967,7 +3944,7 @@ "decaptcha": [ { "advisory": "decaptcha 1.0.0 includes a patch for security vulnerability: pin pillow>=6.2.0", - "cve": null, + "cve": "PVE-2021-37892", "id": "pyup.io-37892", "specs": [ "<1.0.0" @@ -2976,7 +3953,7 @@ }, { "advisory": "decaptcha 1.0.1 includes a patch for security vulnerability: tensorflow==1.15.0", - "cve": null, + "cve": "PVE-2021-37891", "id": "pyup.io-37891", "specs": [ "<1.0.1" @@ -2987,7 +3964,7 @@ "deeposlandia": [ { "advisory": "Deeposlandia 0.6 updates its dependencies, especially `Tensorflow`, due to vulnerability issues.", - "cve": null, + "cve": "PVE-2021-38133", "id": "pyup.io-38133", "specs": [ "<0.6" @@ -2996,7 +3973,7 @@ }, { "advisory": "Deeposlandia 0.6.2 updates pillow to 7.1.1 to fix a moderate-severity vulnerability in pillow <6.2.2.", - "cve": null, + "cve": "PVE-2021-38285", "id": "pyup.io-38285", "specs": [ "<0.6.2" @@ -3057,30 +4034,48 @@ ], "deis": [ { - "advisory": "deis before 1.3.1 has SSLv3 enabled which has known security issues. See CVE-2014-3566.", + "advisory": "Deis 1.4.0 includes a fix for CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue.", "cve": "CVE-2014-3566", "id": "pyup.io-25691", "specs": [ - "<1.3.1" + "<=1.3.1" ], - "v": "<1.3.1" + "v": "<=1.3.1" } ], "deltachat": [ + { + "advisory": "Deltachat 1.0.0b17 fixes SQL/injection malformed Chat-Group-Name breakage.", + "cve": "PVE-2021-40086", + "id": "pyup.io-40086", + "specs": [ + "<1.0.0b17" + ], + "v": "<1.0.0b17" + }, { "advisory": "deltachat 1.0.0beta.2 has several security fixes", - "cve": null, + "cve": "PVE-2021-37922", "id": "pyup.io-37922", "specs": [ "<1.0.0beta.2" ], "v": "<1.0.0beta.2" + }, + { + "advisory": "Deltachat 1.51.0 improves and harden secure join feature.", + "cve": "PVE-2021-40084", + "id": "pyup.io-40084", + "specs": [ + "<1.51.0" + ], + "v": "<1.51.0" } ], "deluge": [ { "advisory": "Deluge 2.0.0 updates SSL/TLS Protocol parameters for better security.", - "cve": null, + "cve": "PVE-2021-37155", "id": "pyup.io-37155", "specs": [ "<2.0.0" @@ -3088,10 +4083,21 @@ "v": "<2.0.0" } ], + "descarteslabs": [ + { + "advisory": "Descarteslabs 1.8.1 upgrades the 'requests' dependency (>=2.25.1, <3) to fix a security issue.", + "cve": "PVE-2021-40827", + "id": "pyup.io-40827", + "specs": [ + "<1.8.1" + ], + "v": "<1.8.1" + } + ], "destringcare": [ { "advisory": "destringcare 0.0.4 change: Removed `pycrypto` due to security issue", - "cve": null, + "cve": "PVE-2021-37228", "id": "pyup.io-37228", "specs": [ "<0.0.4" @@ -3102,7 +4108,7 @@ "determined": [ { "advisory": "Determined 0.12.12rc0 upgrades lodash to fix a vulnerability.", - "cve": null, + "cve": "PVE-2021-38656", "id": "pyup.io-38656", "specs": [ "<0.12.12rc0" @@ -3111,18 +4117,69 @@ }, { "advisory": "Determined 0.12.7 resolves new node security vulnerabilities (fd34fec) and updates link to support secure blank targets (d1146d3).", - "cve": null, + "cve": "PVE-2021-38415", "id": "pyup.io-38415", "specs": [ "<0.12.7" ], "v": "<0.12.7" + }, + { + "advisory": "Determined 0.14.0 updates the 'storybook' dependency to resolve a GitHub security vulnerability for 'highlight.js'.", + "cve": "PVE-2021-39625", + "id": "pyup.io-39625", + "specs": [ + "<0.14.0" + ], + "v": "<0.14.0" + }, + { + "advisory": "Determined 0.16.0.dev0 upgrades the 'ws' dependency to patch a security vulnerability.", + "cve": "PVE-2021-40670", + "id": "pyup.io-40670", + "specs": [ + "<0.16.0.dev0" + ], + "v": "<0.16.0.dev0" + } + ], + "diffpriv": [ + { + "advisory": "Diffpriv 1.0.0rc1 includes a security fix: with the 'diff' and 'enc' modules, parameters were stored in Python memory, and never removed. This commit deletes these parameters and helps prevent attackers from gaining access to these parameters, which can help them gain access to the original text and/or data.", + "cve": "PVE-2021-40539", + "id": "pyup.io-40539", + "specs": [ + "<1.0.0rc1" + ], + "v": "<1.0.0rc1" + } + ], + "digitalmarketplace-utils": [ + { + "advisory": "Digitalmarketplace-utils versions before v22.0.0 included vulnerabilities where untrusted input might result in susceptibility to a cross-site scripting (XSS) exploit.", + "cve": "PVE-2021-39653", + "id": "pyup.io-39653", + "specs": [ + "<22.0.0" + ], + "v": "<22.0.0" + } + ], + "dirac": [ + { + "advisory": "dirac 2.1 updates OpenSSL to avoid CVE-2021-3449 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449", + "cve": "PVE-2021-40206", + "id": "pyup.io-40206", + "specs": [ + "<2.1" + ], + "v": "<2.1" } ], "directory-client-core": [ { "advisory": "Directory-client-core 5.1.1 upgrades a vulnerable Django version to Django 1.11.22.", - "cve": null, + "cve": "PVE-2021-38689", "id": "pyup.io-38689", "specs": [ "<5.1.1" @@ -3133,7 +4190,7 @@ "directory-components": [ { "advisory": "Directory-components 25.0.1 includes an update to fix the lodash vulnerability.", - "cve": null, + "cve": "PVE-2021-37298", "id": "pyup.io-37298", "specs": [ "<25.0.1" @@ -3142,7 +4199,7 @@ }, { "advisory": "The `django_language` and `country` cookies in directory-components 33.0.0 set as secure and http-only.", - "cve": null, + "cve": "PVE-2021-37475", "id": "pyup.io-37475", "specs": [ "<33.0.0" @@ -3150,10 +4207,21 @@ "v": "<33.0.0" } ], + "dirsearch": [ + { + "advisory": "Dirsearch 0.4.2 fixes a CSV Injection vulnerability. See also: .", + "cve": "PVE-2021-40799", + "id": "pyup.io-40799", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + } + ], "discogs-client": [ { "advisory": "discogs-client 2.2.2 updates dependencies to resolve security vulnerabilities", - "cve": null, + "cve": "PVE-2021-36787", "id": "pyup.io-36787", "specs": [ "<2.2.2" @@ -3161,10 +4229,21 @@ "v": "<2.2.2" } ], + "discord-ext-slash": [ + { + "advisory": "For some extra security, Discord-ext-slash 0.2.3 looks up commands by both their name and guild ID if their command ID fails to return any results (it returns a warning with 'SlashWarning' both times, and returns an error if still no command is found.)", + "cve": "PVE-2021-39641", + "id": "pyup.io-39641", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + } + ], "discordpie": [ { "advisory": "Discordpie 0.5.1 includes a security patch. No details are given.", - "cve": null, + "cve": "PVE-2021-38343", "id": "pyup.io-38343", "specs": [ "<0.5.1" @@ -3172,10 +4251,21 @@ "v": "<0.5.1" } ], + "dispatch": [ + { + "advisory": "Dispatch 1.3.16 updates the 'Django' dependency version for security reasons.", + "cve": "PVE-2021-40402", + "id": "pyup.io-40402", + "specs": [ + "<1.3.16" + ], + "v": "<1.3.16" + } + ], "djangae": [ { "advisory": "djangae before 0.9.4 uses Django 1.7 which is no longer supported (EOL, with known security issues).", - "cve": null, + "cve": "PVE-2021-25693", "id": "pyup.io-25693", "specs": [ "<0.9.4" @@ -3204,9 +4294,9 @@ "v": "<1.0.4,>=1.1,<1.1.1" }, { - "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", - "cve": "CVE-2010-4534", - "id": "pyup.io-33058", + "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", + "cve": "CVE-2010-4535", + "id": "pyup.io-33059", "specs": [ "<1.1.3", ">=1.2,<1.2.4" @@ -3214,9 +4304,9 @@ "v": "<1.1.3,>=1.2,<1.2.4" }, { - "advisory": "The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.", - "cve": "CVE-2010-4535", - "id": "pyup.io-33059", + "advisory": "The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.", + "cve": "CVE-2010-4534", + "id": "pyup.io-33058", "specs": [ "<1.1.3", ">=1.2,<1.2.4" @@ -3252,15 +4342,6 @@ ], "v": "<1.1.4,>=1.2,<1.2.5" }, - { - "advisory": "django 1.11.18 fixes a security issue in 1.11.17 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", - "cve": "CVE-2019-3498", - "id": "pyup.io-36771", - "specs": [ - "<1.11.18,>=1.11.17" - ], - "v": "<1.11.18,>=1.11.17" - }, { "advisory": "Django 1.11.x before 1.11.19 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", @@ -3283,7 +4364,7 @@ }, { "advisory": "Django 1.11.22 fixes a security issue in 1.11.21.", - "cve": null, + "cve": "PVE-2021-37259", "id": "pyup.io-37259", "specs": [ "<1.11.22,>1.11.21" @@ -3311,9 +4392,9 @@ "v": "<1.2.2" }, { - "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", - "cve": "CVE-2011-4136", - "id": "pyup.io-33063", + "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", + "cve": "CVE-2011-4138", + "id": "pyup.io-33065", "specs": [ "<1.2.7", ">=1.3,<1.3.1" @@ -3321,9 +4402,9 @@ "v": "<1.2.7,>=1.3,<1.3.1" }, { - "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", - "cve": "CVE-2011-4137", - "id": "pyup.io-33064", + "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", + "cve": "CVE-2011-4140", + "id": "pyup.io-33066", "specs": [ "<1.2.7", ">=1.3,<1.3.1" @@ -3331,9 +4412,9 @@ "v": "<1.2.7,>=1.3,<1.3.1" }, { - "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.", - "cve": "CVE-2011-4138", - "id": "pyup.io-33065", + "advisory": "django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.", + "cve": "CVE-2011-4136", + "id": "pyup.io-33063", "specs": [ "<1.2.7", ">=1.3,<1.3.1" @@ -3341,9 +4422,9 @@ "v": "<1.2.7,>=1.3,<1.3.1" }, { - "advisory": "The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.", - "cve": "CVE-2011-4140", - "id": "pyup.io-33066", + "advisory": "The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.", + "cve": "CVE-2011-4137", + "id": "pyup.io-33064", "specs": [ "<1.2.7", ">=1.3,<1.3.1" @@ -3424,9 +4505,9 @@ "v": "<1.4.18,>=1.7,<1.7.3,>=1.6,<1.6.10" }, { - "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", - "cve": "CVE-2016-2513", - "id": "pyup.io-33074", + "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", + "cve": "CVE-2016-2512", + "id": "pyup.io-33073", "specs": [ "<1.8.10", ">=1.9,<1.9.3" @@ -3434,9 +4515,9 @@ "v": "<1.8.10,>=1.9,<1.9.3" }, { - "advisory": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", - "cve": "CVE-2016-2512", - "id": "pyup.io-33073", + "advisory": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.", + "cve": "CVE-2016-2513", + "id": "pyup.io-33074", "specs": [ "<1.8.10", ">=1.9,<1.9.3" @@ -3461,15 +4542,6 @@ ], "v": "<2.1.2,>=2.1.0" }, - { - "advisory": "django 2.1.5 fixes a security issue in 2.1.4 (CVE-2019-3498) where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", - "cve": "CVE-2019-3498", - "id": "pyup.io-36769", - "specs": [ - "<2.1.5,>=2.1.4" - ], - "v": "<2.1.5,>=2.1.4" - }, { "advisory": "Django 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", @@ -3498,8 +4570,35 @@ "v": "==1.11.20" }, { - "advisory": "Django 1.11.23 fixes the following security issues in 1.11.22: CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, and CVE-2019-14235.", - "cve": "CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235", + "advisory": "Django 1.11.23 fixes CVE-2019-14235 in 1.11.22.", + "cve": "CVE-2019-14235", + "id": "pyup.io-39599", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.23 fixes CVE-2019-14233 in 1.11.22.", + "cve": "CVE-2019-14233", + "id": "pyup.io-39601", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.23 fixes CVE-2019-14234 in 1.11.22.", + "cve": "CVE-2019-14234", + "id": "pyup.io-39600", + "specs": [ + "==1.11.22" + ], + "v": "==1.11.22" + }, + { + "advisory": "Django 1.11.23 fixes the following security issue in 1.11.22: CVE-2019-14232.", + "cve": "CVE-2019-14232", "id": "pyup.io-37326", "specs": [ "==1.11.22" @@ -3534,25 +4633,43 @@ "v": "==2.0.7" }, { - "advisory": "django 2.0.10 fixes a security issue - CVE-2019-3498 - where content spoofing possibility in the default 404 page.\r\n\r\nAn attacker could craft a malicious URL that could make spoofed content appear\r\non the default page generated by the ``django.views.defaults.page_not_found()``\r\nview.\r\n\r\nThe URL path is no longer displayed in the default 404 template and the\r\n``request_path`` context variable is now quoted to fix the issue for custom\r\ntemplates that use the path.", - "cve": "CVE-2019-3498", - "id": "pyup.io-36770", + "advisory": "Django 2.1.11 fixes a security issue in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", + "cve": "CVE-2019-14232", + "id": "pyup.io-37325", "specs": [ - "==2.0.9" + "==2.1.10" ], - "v": "==2.0.9" + "v": "==2.1.10" }, { - "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", - "cve": "CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, CVE-2019-14235", - "id": "pyup.io-37325", + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", + "cve": "CVE-2019-14233", + "id": "pyup.io-39598", "specs": [ "==2.1.10" ], "v": "==2.1.10" }, { - "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.", + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", + "cve": "CVE-2019-14235", + "id": "pyup.io-39596", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.11 fixes security issues in 2.1.10:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", + "cve": "CVE-2019-14234", + "id": "pyup.io-39597", + "specs": [ + "==2.1.10" + ], + "v": "==2.1.10" + }, + { + "advisory": "Django 2.1.15 fixes CVE-2019-19118 in 2.1.14: Privilege escalation in the Django admin.", "cve": "CVE-2019-19118", "id": "pyup.io-37657", "specs": [ @@ -3561,8 +4678,8 @@ "v": "==2.1.14" }, { - "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS) and it includes a patched bundled jQuery for CVE-2019-11358 (Prototype pollution).", - "cve": "CVE-2019-12308, CVE-2019-11358", + "advisory": "Django 2.1.9 fixes security issues in 2.1.8: CVE-2019-12308 (AdminURLFieldWidget XSS).", + "cve": "CVE-2019-12308", "id": "pyup.io-37185", "specs": [ "==2.1.8" @@ -3570,31 +4687,41 @@ "v": "==2.1.8" }, { - "advisory": "Django 2.1.10 fixes a security issue in 2.1.9. CVE-2020-9402: Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle", - "cve": "CVE-2020-9402", - "id": "pyup.io-37258", + "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS).", + "cve": "CVE-2019-12308", + "id": "pyup.io-37184", "specs": [ - "==2.1.9" + "==2.2.1" ], - "v": "==2.1.9" + "v": "==2.2.1" }, { - "advisory": "Django 2.2.2 fixes security issues in 2.2.1: CVE-2019-12308 (AdminURLFieldWidget XSS) and it includes a patched bundled jQuery for CVE-2019-11358 (Prototype pollution).", - "cve": "CVE-2019-12308, CVE-2019-11358", - "id": "pyup.io-37184", + "advisory": "Django 2.2.1 and 2.1.8 include the vulnerability CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", + "cve": "CVE-2019-11358", + "id": "pyup.io-39594", "specs": [ - "==2.2.1" + "==2.2.1", + "==2.1.8" ], - "v": "==2.2.1" + "v": "==2.2.1,==2.1.8" }, { - "advisory": "Django 2.2.11 fixes a security issue in 2.2.10. Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle. See CVE-2020-9402.", - "cve": "CVE-2020-9402", - "id": "pyup.io-37969", + "advisory": "Django 2.2.18 fixes a security issue with severity \"low\" in 2.2.17 (CVE-2021-3281).", + "cve": "CVE-2021-3281", + "id": "pyup.io-39523", + "specs": [ + "==2.2.17" + ], + "v": "==2.2.17" + }, + { + "advisory": "Django 2.2.18 includes the vulnerability CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "cve": "CVE-2021-23336", + "id": "pyup.io-39646", "specs": [ - "==2.2.10" + "==2.2.18" ], - "v": "==2.2.10" + "v": "==2.2.18" }, { "advisory": "Django 2.2.3 fixes CVE-2019-12781 in 2.2.2: incorrect HTTP detection with reverse-proxy connecting via HTTPS.", @@ -3606,8 +4733,53 @@ "v": "==2.2.2" }, { - "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", - "cve": "CVE-2019-14232, CVE-2019-14233, CVE-2019-14234, CVE-2019-14235", + "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33571).", + "cve": "PVE-2021-40597", + "id": "pyup.io-40597", + "specs": [ + "==2.2.23" + ], + "v": "==2.2.23" + }, + { + "advisory": "Django 2.2.24 fixes security issue in 2.2.23 (CVE-2021-33203).", + "cve": "PVE-2021-40586", + "id": "pyup.io-40586", + "specs": [ + "==2.2.23" + ], + "v": "==2.2.23" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``", + "cve": "CVE-2019-14233", + "id": "pyup.io-39593", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``", + "cve": "CVE-2019-14234", + "id": "pyup.io-39592", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.4 fixes security issues in 2.2.3:\r\n- CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``", + "cve": "CVE-2019-14235", + "id": "pyup.io-39591", + "specs": [ + "==2.2.3" + ], + "v": "==2.2.3" + }, + { + "advisory": "Django 2.2.4 fixes a security issue in 2.2.3:\r\n- CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``", + "cve": "CVE-2019-14232", "id": "pyup.io-37323", "specs": [ "==2.2.3" @@ -3650,6 +4822,24 @@ ], "v": "==3.0" }, + { + "advisory": "Django 3.0.12 fixes a security issue with severity \"low\" in 3.0.11 (CVE-2021-3281).", + "cve": "CVE-2021-3281", + "id": "pyup.io-39522", + "specs": [ + "==3.0.11" + ], + "v": "==3.0.11" + }, + { + "advisory": "Django 3.0.12 includes vulnerability CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "cve": "CVE-2021-23336", + "id": "pyup.io-39645", + "specs": [ + "==3.0.12" + ], + "v": "==3.0.12" + }, { "advisory": "Django 3.0.3 fixes a security issue and several bugs in 3.0.2. Potential SQL injection via `StringAgg(delimiter)`. See: CVE-2020-7471.", "cve": "CVE-2020-7471", @@ -3660,26 +4850,62 @@ "v": "==3.0.2" }, { - "advisory": "Django 3.0.4 fixes a security issue in 3.0.3: potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle.", - "cve": "CVE-2020-9402", - "id": "pyup.io-27043", + "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33571).", + "cve": "PVE-2021-40598", + "id": "pyup.io-40598", "specs": [ - "==3.0.3" + "==3.1.11" ], - "v": "==3.0.3" + "v": "==3.1.11" }, { - "advisory": "Django 3.0.4 fixes a security issue in 3.0.3. Potential SQL injection via ``tolerance`` parameter in GIS functions and aggregates on Oracle. See CVE-2020-9402.", - "cve": "CVE-2020-9402", - "id": "pyup.io-37968", + "advisory": "Django 3.1.12 fixes two security issues in 3.1.11 (CVE-2021-33203).", + "cve": "PVE-2021-40585", + "id": "pyup.io-40585", + "specs": [ + "==3.1.11" + ], + "v": "==3.1.11" + }, + { + "advisory": "Django 3.1.6 fixes a security issue with severity \"low\" and a bug in 3.1.5 (CVE-2021-3281).", + "cve": "CVE-2021-3281", + "id": "pyup.io-39521", + "specs": [ + "==3.1.5" + ], + "v": "==3.1.5" + }, + { + "advisory": "Django 3.1.6 includes vulnerability CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "cve": "CVE-2021-23336", + "id": "pyup.io-39644", + "specs": [ + "==3.1.6" + ], + "v": "==3.1.6" + }, + { + "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-33203).", + "cve": "PVE-2021-40584", + "id": "pyup.io-40584", + "specs": [ + "==3.2.3" + ], + "v": "==3.2.3" + }, + { + "advisory": "Django 3.2.4 fixes two security issues and several bugs in 3.2.3 (CVE-2021-3357).", + "cve": "PVE-2021-40599", + "id": "pyup.io-40599", "specs": [ - "==3.0.3" + "==3.2.3" ], - "v": "==3.0.3" + "v": "==3.2.3" }, { "advisory": "Django 1.10.3 fixes two security issues and several bugs in 1.10.2.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", - "cve": null, + "cve": "PVE-2021-25722", "id": "pyup.io-25722", "specs": [ ">=1.10,<1.10.3" @@ -3736,9 +4962,9 @@ "v": ">=1.11.0,<1.11.21,>=2.1,<2.1.9,>=2.2,<2.2.2" }, { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", - "cve": "CVE-2019-14234", - "id": "pyup.io-37357", + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", + "cve": "CVE-2019-14232", + "id": "pyup.io-37329", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", @@ -3747,9 +4973,9 @@ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", - "cve": "CVE-2019-14235", - "id": "pyup.io-37331", + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", + "cve": "CVE-2019-14234", + "id": "pyup.io-37357", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", @@ -3769,9 +4995,9 @@ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { - "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", - "cve": "CVE-2019-14232", - "id": "pyup.io-37329", + "advisory": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", + "cve": "CVE-2019-14235", + "id": "pyup.io-37331", "specs": [ ">=1.11.0,<1.11.23", ">=2.1.0,<2.1.11", @@ -3780,7 +5006,7 @@ "v": ">=1.11.0,<1.11.23,>=2.1.0,<2.1.11,>=2.2.0,<2.2.4" }, { - "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See CVE-2020-9402.", + "advisory": "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL Injections if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. See: CVE-2020-9402.", "cve": "CVE-2020-9402", "id": "pyup.io-38010", "specs": [ @@ -3809,6 +5035,15 @@ ], "v": ">=1.11a1,<1.11.15,>=2.0a1,<2.0.8" }, + { + "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36771", + "specs": [ + ">=1.11a1,<1.11.18" + ], + "v": ">=1.11a1,<1.11.18" + }, { "advisory": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.", "cve": "CVE-2013-0305", @@ -4002,7 +5237,7 @@ }, { "advisory": "Django 1.9.11 fixes two security issues in 1.9.10.\r\n\r\nUser with hardcoded password created when running tests on Oracle\r\n=================================================================\r\n\r\nWhen running tests with an Oracle database, Django creates a temporary database\r\nuser. In older versions, if a password isn't manually specified in the database\r\nsettings ``TEST`` dictionary, a hardcoded password is used. This could allow\r\nan attacker with network access to the database server to connect.\r\n\r\nThis user is usually dropped after the test suite completes, but not when using\r\nthe ``manage.py test --keepdb`` option or if the user has an active session\r\n(such as an attacker's connection).\r\n\r\nA randomly generated password is now used for each test run.\r\n\r\nDNS rebinding vulnerability when ``DEBUG=True``\r\n===============================================", - "cve": null, + "cve": "PVE-2021-25734", "id": "pyup.io-25734", "specs": [ ">=1.9,<1.9.11" @@ -4038,6 +5273,26 @@ ], "v": ">=1.9,<1.9.8,==1.8.14,>=1.10,<1.10rc1" }, + { + "advisory": "Django 2.2.24, 3.1.12, and 3.2.4 includes a fix for CVE-2021-33203: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.", + "cve": "CVE-2021-33203", + "id": "pyup.io-40637", + "specs": [ + ">=2.0.0a1,<2.2.24", + ">=3.0.0a1,<3.1.12", + ">=3.2.0a1,<3.2.4" + ], + "v": ">=2.0.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4" + }, + { + "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36770", + "specs": [ + ">=2.0a1,<2.0.10" + ], + "v": ">=2.0a1,<2.0.10" + }, { "advisory": "Django 2.0.x before 2.0.11 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "cve": "CVE-2019-6975", @@ -4091,14 +5346,57 @@ "v": ">=2.1,<2.1.15,>=2.2,<2.2.8" }, { - "advisory": "CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", - "cve": "CVE-2020-13596", - "id": "pyup.io-38372", + "advisory": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.", + "cve": "CVE-2019-3498", + "id": "pyup.io-36769", "specs": [ - ">=3.0a1,<3.0.7", - ">=2.2a1,<2.2.13" + ">=2.1a1,<2.1.5" ], - "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" + "v": ">=2.1a1,<2.1.5" + }, + { + "advisory": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments. See CVE-2021-3281.", + "cve": "CVE-2021-3281", + "id": "pyup.io-39526", + "specs": [ + ">=2.2,<2.2.18", + ">=3.1,<3.1.6", + ">=3.0,<3.0.12" + ], + "v": ">=2.2,<2.2.18,>=3.1,<3.1.6,>=3.0,<3.0.12" + }, + { + "advisory": "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.", + "cve": "CVE-2021-31542", + "id": "pyup.io-40404", + "specs": [ + ">=2.2,<2.2.21", + ">=3.1a1,<3.1.9", + ">=3.2,<3.2.1" + ], + "v": ">=2.2,<2.2.21,>=3.1a1,<3.1.9,>=3.2,<3.2.1" + }, + { + "advisory": "Django 2.2.24, 3.1.12, and 3.2.4 includes a fix for CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+).", + "cve": "CVE-2021-33571", + "id": "pyup.io-40638", + "specs": [ + ">=2.2.0a1,<2.2.24", + ">=3.0.0a1,<3.1.12", + ">=3.2.0a1,<3.2.4" + ], + "v": ">=2.2.0a1,<2.2.24,>=3.0.0a1,<3.1.12,>=3.2.0a1,<3.2.4" + }, + { + "advisory": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.", + "cve": "CVE-2021-28658", + "id": "pyup.io-40163", + "specs": [ + ">=2.2a1,<2.2.20", + ">=3.0a1,<3.0.14", + ">=3.1a1,<3.1.8" + ], + "v": ">=2.2a1,<2.2.20,>=3.0a1,<3.0.14,>=3.1a1,<3.1.8" }, { "advisory": "CVE-2020-13254: Potential data leakage via malformed memcached keys. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", @@ -4109,12 +5407,43 @@ ">=2.2a1,<2.2.13" ], "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" + }, + { + "advisory": "CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget. Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.\r\n\r\nAdditionally, Django 2.2.13 and 3.0.7 upgrade the version of jQuery used by the admin to 3.5.1 for security reasons.", + "cve": "CVE-2020-13596", + "id": "pyup.io-38372", + "specs": [ + ">=3.0a1,<3.0.7", + ">=2.2a1,<2.2.13" + ], + "v": ">=3.0a1,<3.0.7,>=2.2a1,<2.2.13" + }, + { + "advisory": "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.", + "cve": "CVE-2021-35042", + "id": "pyup.io-40899", + "specs": [ + ">=3.1,<3.1.13", + ">=3.2,<3.2.5" + ], + "v": ">=3.1,<3.1.13,>=3.2,<3.2.5" + }, + { + "advisory": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.", + "cve": "CVE-2021-32052", + "id": "pyup.io-40414", + "specs": [ + ">=3.1a1,<3.1.10", + ">=2.2a1,<2.2.22", + ">=3.2a1,<3.2.2" + ], + "v": ">=3.1a1,<3.1.10,>=2.2a1,<2.2.22,>=3.2a1,<3.2.2" } ], "django-access-tokens": [ { "advisory": "django-access-tokens 0.9.2 fixes scoping of permissions where the token provides a smaller subset of the required permissions. As an extreme case, an access token granting no permissions could be used to access any permissions on the site.", - "cve": null, + "cve": "PVE-2021-25736", "id": "pyup.io-25736", "specs": [ "<0.9.2" @@ -4125,7 +5454,7 @@ "django-access-tokens-py3": [ { "advisory": "Fixing scoping of permissions where the token provides a\r\nsmaller subset of the required permissions. As an extreme case, an access token\r\ngranting no permissions could be used to access any permissions on the site.", - "cve": null, + "cve": "PVE-2021-34892", "id": "pyup.io-34892", "specs": [ "<0.9.2" @@ -4136,7 +5465,7 @@ "django-afip": [ { "advisory": "Django-afip 7.1.1 overrides the TLS configuration for AFIP's servers (and only those). They have worsened their security configuration, and it's now seen as insecure by default on many environments.", - "cve": null, + "cve": "PVE-2021-38705", "id": "pyup.io-38705", "specs": [ "<7.1.1" @@ -4147,7 +5476,7 @@ "django-airplane": [ { "advisory": "django-airplane 0.3 updates minimum django to secure 2.0.2.", - "cve": null, + "cve": "PVE-2021-36587", "id": "pyup.io-36587", "specs": [ "<0.3" @@ -4158,7 +5487,7 @@ "django-allauth": [ { "advisory": "django-allauth before 0.28.0 previous versions contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.", - "cve": null, + "cve": "PVE-2021-25737", "id": "pyup.io-25737", "specs": [ "<0.28.0" @@ -4167,7 +5496,7 @@ }, { "advisory": "On django-allauth before 0.34.0 the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.", - "cve": null, + "cve": "PVE-2021-35034", "id": "pyup.io-35034", "specs": [ "<0.34.0" @@ -4187,7 +5516,7 @@ "django-allauth-underground": [ { "advisory": "django-allauth-underground before 0.28.0 contained a vulnerability allowing an attacker to alter the\r\n provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the\r\n larger ``SOCIALACCOUNT_PROVIDERS`` setting).", - "cve": null, + "cve": "PVE-2021-36394", "id": "pyup.io-36394", "specs": [ "<0.28.0" @@ -4198,7 +5527,7 @@ "django-anonymizer": [ { "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed. This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.", - "cve": null, + "cve": "PVE-2021-25738", "id": "pyup.io-25738", "specs": [ "<0.4" @@ -4209,7 +5538,7 @@ "django-anonymizer-compat": [ { "advisory": "Changed 'Anonymizer.attributes' to require every field to be listed. This is deal with the common security problem when a model is updated, but the Anonymizer is not updated.", - "cve": null, + "cve": "PVE-2021-25739", "id": "pyup.io-25739", "specs": [ "<0.4" @@ -4229,7 +5558,7 @@ }, { "advisory": "In django-anymail v0.2\u2013v1.3 the WEBHOOK_AUTHORIZATION key might get leaked if DEBUG=True since it isn\u2019t sanitized properly.", - "cve": null, + "cve": "PVE-2021-35198", "id": "pyup.io-35198", "specs": [ ">=0.2,<1.4" @@ -4240,7 +5569,7 @@ "django-autocomplete-light": [ { "advisory": "django-autocomplete-light before 2.3.0 when updating the queryset from outside the autocomplete class may lead to a security problem, ie. if you don't replicate filters you apply manually on the autocomplete object choices into choices_for_request() then a malicious user could see choices which they shouldn't by querying the autocomplete directly.", - "cve": null, + "cve": "PVE-2021-25740", "id": "pyup.io-25740", "specs": [ "<2.3.0" @@ -4251,7 +5580,7 @@ "django-awl": [ { "advisory": "django-awl 0.22.2 updates minimum library requirements for django 2.0.2 and 2.1.2 to reflect\r\nsecurity updates.", - "cve": null, + "cve": "PVE-2021-36588", "id": "pyup.io-36588", "specs": [ "<0.22.2" @@ -4260,7 +5589,7 @@ }, { "advisory": "Django-awl 1.0 updates the minimum library requirements for django 2.0.2 and 2.1.2 to reflect security updates.", - "cve": null, + "cve": "PVE-2021-38139", "id": "pyup.io-38139", "specs": [ "<1.0" @@ -4270,18 +5599,18 @@ ], "django-basic-auth-ip-whitelist": [ { - "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.", - "cve": null, - "id": "pyup.io-38438", + "advisory": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. See: CVE-2020-4071.", + "cve": "CVE-2020-4071", + "id": "pyup.io-38443", "specs": [ "<0.3.4" ], "v": "<0.3.4" }, { - "advisory": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet. However, it may be achieved from within local networks where the website is hosted, e.g. from inside a data centre where a website's server is located. Sites protected by IP address whitelisting only are unaffected by this vulnerability. This vulnerability has been fixed on version 0.3.4 of django-basic-auth-ip-whitelist. Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. A workaround without upgrading to version 0.3.4 is to stop using basic authentication and use the IP whitelisting component only. It can be achieved by not setting BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD in Django project settings. See: CVE-2020-4071.", - "cve": "CVE-2020-4071", - "id": "pyup.io-38443", + "advisory": "Django-basic-auth-ip-whitelist 0.3.4 fixes a potential timing attack if basic authentication is enabled.", + "cve": "PVE-2021-38438", + "id": "pyup.io-38438", "specs": [ "<0.3.4" ], @@ -4291,7 +5620,7 @@ "django-basicauth": [ { "advisory": "django-basicauth before 0.4.2 is vulnerable to undisclosed timing attacks.", - "cve": null, + "cve": "PVE-2021-35076", "id": "pyup.io-35076", "specs": [ "<0.4.2" @@ -4302,7 +5631,7 @@ "django-bootstrap4": [ { "advisory": "Django-bootstrap4 2.3.0 updates the Sphinx dependency because of security update.", - "cve": null, + "cve": "PVE-2021-38870", "id": "pyup.io-38870", "specs": [ "<2.3.0" @@ -4313,16 +5642,25 @@ "django-ca": [ { "advisory": "django-ca 1.10.0 stores CA private keys in the more secure PKCS8 format.", - "cve": null, + "cve": "PVE-2021-37015", "id": "pyup.io-37015", "specs": [ "<1.10.0" ], "v": "<1.10.0" }, + { + "advisory": "Django-ca 1.17.0 secures CSRF and session cookies using Djangos `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_HTTPONLY` and `CSRF_COOKIE_SECURE` settings. It also adds several security related headers to the admin interface (CSP, etc).", + "cve": "PVE-2021-39375", + "id": "pyup.io-39375", + "specs": [ + "<1.17.0" + ], + "v": "<1.17.0" + }, { "advisory": "django-ca before 1.9.0 did not properly escape x509 extensions, allowing for potential injection attacks.", - "cve": null, + "cve": "PVE-2021-36405", "id": "pyup.io-36405", "specs": [ "<1.9.0" @@ -4344,7 +5682,7 @@ "django-cms": [ { "advisory": "django-cms 2.1.3 fixes a serious security issue in PlaceholderAdmin", - "cve": null, + "cve": "PVE-2021-25741", "id": "pyup.io-25741", "specs": [ "<2.1.3" @@ -4353,7 +5691,7 @@ }, { "advisory": "django-cms before 2.1.4 fixes a XSS issue in Text Plugins.", - "cve": null, + "cve": "PVE-2021-25742", "id": "pyup.io-25742", "specs": [ "<2.1.4" @@ -4362,7 +5700,7 @@ }, { "advisory": "django-cms 3.0.14 fixes an issue where privileged users could be tricked into performing actions without their knowledge via a CSRF vulnerability", - "cve": null, + "cve": "PVE-2021-25743", "id": "pyup.io-25743", "specs": [ "<3.0.14" @@ -4381,7 +5719,7 @@ }, { "advisory": "django-cms 3.2.4 addresses security vulnerabilities in the `render_model` template tag that could lead to escalation of privileges or other security issues. It also addresses a security vulnerability in the cms' usage of the messages framework. Furthermore it fixes security vulnerabilities in custom FormFields that could lead to escalation of privileges or other security issue", - "cve": null, + "cve": "PVE-2021-25746", "id": "pyup.io-25746", "specs": [ "<3.2.4" @@ -4390,7 +5728,7 @@ }, { "advisory": "django-cms 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code and a vulnerability where the next parameter for the toolbar login was not sanitised and could point to another domain.", - "cve": null, + "cve": "PVE-2021-34226", "id": "pyup.io-34226", "specs": [ "<3.4.3" @@ -4399,7 +5737,7 @@ }, { "advisory": "Django-cms 3.4.7 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", - "cve": null, + "cve": "PVE-2021-38791", "id": "pyup.io-38791", "specs": [ ">=3.4.0,<3.4.7" @@ -4408,7 +5746,7 @@ }, { "advisory": "Django-cms 3.5.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", - "cve": null, + "cve": "PVE-2021-38790", "id": "pyup.io-38790", "specs": [ ">=3.5.0,<3.5.4" @@ -4417,7 +5755,7 @@ }, { "advisory": "django-cms before 3.6.1\r\nDjango-cms 3.6.1 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", - "cve": null, + "cve": "PVE-2021-38789", "id": "pyup.io-38789", "specs": [ ">=3.6.0,<3.6.1" @@ -4426,7 +5764,7 @@ }, { "advisory": "Django-cms 3.7.4 fixes a security vulnerability in the plugin_type url parameter to insert JavaScript code.", - "cve": null, + "cve": "PVE-2021-38788", "id": "pyup.io-38788", "specs": [ ">=3.7.0,<3.7.4" @@ -4437,7 +5775,7 @@ "django-cms-patched": [ { "advisory": "django-cms-patched before 3.0.17 has security vulnerabilities in the `render_model` template tag that could\r\n lead to escalation of privileges or other security issues.", - "cve": null, + "cve": "PVE-2021-34123", "id": "pyup.io-34123", "specs": [ "<3.0.17" @@ -4446,7 +5784,7 @@ }, { "advisory": "django-cms-patched 3.4.3 fixes a security vulnerability in the page redirect field which allowed users to insert JavaScript code.", - "cve": null, + "cve": "PVE-2021-34121", "id": "pyup.io-34121", "specs": [ "<3.4.3" @@ -4457,7 +5795,7 @@ "django-cors-headers": [ { "advisory": "In django-cors-headers version 3.0.0, ``CORS_ORIGIN_WHITELIST`` requires URI schemes, and optionally ports. This is part of the CORS specification (Section 3.2 ) that was not implemented in this library, except from with the ``CORS_ORIGIN_REGEX_WHITELIST`` setting. It fixes a security issue where the CORS middleware would allow requests between schemes, for example from insecure ``http://`` Origins to a secure ``https://`` site.\r\n\r\nYou will need to update your whitelist to include schemes, for example from this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['example.com']\r\n\r\nto this:\r\n\r\nCORS_ORIGIN_WHITELIST = ['https://example.com']", - "cve": null, + "cve": "PVE-2021-37132", "id": "pyup.io-37132", "specs": [ "<3.0.0" @@ -4468,7 +5806,7 @@ "django-councilmatic": [ { "advisory": "Django-councilmatic 2.5.9 patches a XSS vulnerability when using filter options. This issue happens for all cities that use your product. Within the /search view, you can use the filter parameters to run Javascript code in an HTML script tag. See: .", - "cve": null, + "cve": "PVE-2021-38708", "id": "pyup.io-38708", "specs": [ "<2.5.9" @@ -4479,7 +5817,7 @@ "django-countries": [ { "advisory": "django-countries 3.4 fixes a XSS escaping issue in CountrySelectWidget.", - "cve": null, + "cve": "PVE-2021-25747", "id": "pyup.io-25747", "specs": [ "<3.4" @@ -4488,7 +5826,7 @@ }, { "advisory": "django-countries 3.4 fixes an XSS escaping issue in CountrySelectWidget", - "cve": null, + "cve": "PVE-2021-37951", "id": "pyup.io-37951", "specs": [ "<3.4" @@ -4499,7 +5837,7 @@ "django-crispy-forms": [ { "advisory": "django-crispy-forms 1.1.4 contains a security fix: Thread safety fixes to `CrispyFieldNode` thanks to Paul Oswald. This avoids leaking information between requests in multithreaded WSGI servers.", - "cve": null, + "cve": "PVE-2021-25751", "id": "pyup.io-25751", "specs": [ "<1.1.4" @@ -4510,7 +5848,7 @@ "django-crispy-forms-ng": [ { "advisory": "django-crispy-forms before 0.9.0 fixes a XSS bug thanks to Charlie Denton, see GH-98. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.", - "cve": null, + "cve": "PVE-2021-25750", "id": "pyup.io-25750", "specs": [ "<0.9.0" @@ -4541,7 +5879,7 @@ "django-dajaxice-me": [ { "advisory": "django-dajaxice-me 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.", - "cve": null, + "cve": "PVE-2021-25752", "id": "pyup.io-25752", "specs": [ "<0.1.7" @@ -4552,7 +5890,7 @@ "django-dajaxice-ng": [ { "advisory": "django-dajaxice-ng 0.1.7 fixes the dajaxice callback model to improve security against XSS attacks.", - "cve": null, + "cve": "PVE-2021-25753", "id": "pyup.io-25753", "specs": [ "<0.1.7" @@ -4560,10 +5898,23 @@ "v": "<0.1.7" } ], + "django-debug-toolbar": [ + { + "advisory": "A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form. See CVE-2021-30459.", + "cve": "CVE-2021-30459", + "id": "pyup.io-40207", + "specs": [ + "<1.11.1", + ">2,<2.2.1", + ">3,<3.2.1" + ], + "v": "<1.11.1,>2,<2.2.1,>3,<3.2.1" + } + ], "django-discord-bind": [ { "advisory": "django-discord-bind 0.2.0 added state validation to prevent CSRF attacks.", - "cve": null, + "cve": "PVE-2021-25754", "id": "pyup.io-25754", "specs": [ "<0.2.0" @@ -4574,7 +5925,7 @@ "django-embed-video": [ { "advisory": "django-embed-video 0.3 has a security fix: faked urls are treated as invalid.", - "cve": null, + "cve": "PVE-2021-25755", "id": "pyup.io-25755", "specs": [ "<0.3" @@ -4585,7 +5936,7 @@ "django-envelope": [ { "advisory": "django-envelope 0.4.1 contains a security bugfix regarding initial form values.", - "cve": null, + "cve": "PVE-2021-25756", "id": "pyup.io-25756", "specs": [ "<0.4.1" @@ -4596,7 +5947,7 @@ "django-epiced": [ { "advisory": "django-epiced before 0.3.0 does not escape HTML output by default.", - "cve": null, + "cve": "PVE-2021-34269", "id": "pyup.io-34269", "specs": [ "<0.3.0" @@ -4617,18 +5968,18 @@ ], "django-fernet-fields": [ { - "advisory": "django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.", - "cve": null, - "id": "pyup.io-25757", + "advisory": "django-fernet-fields before 0.3 has DualField and HashField. The only cases where they are useful, they aren't secure.", + "cve": "PVE-2021-34331", + "id": "pyup.io-34331", "specs": [ "<0.3" ], "v": "<0.3" }, { - "advisory": "django-fernet-fields before 0.3 has DualField and HashField. The only cases where they are useful, they aren't secure.", - "cve": null, - "id": "pyup.io-34331", + "advisory": "django-fernet-fields 0.3 removes DualField and HashField. The only cases where they are useful, they aren't secure.", + "cve": "PVE-2021-25757", + "id": "pyup.io-25757", "specs": [ "<0.3" ], @@ -4638,7 +5989,7 @@ "django-fiber": [ { "advisory": "django-fiber 0.9.9.1 contains a security bugfix: Changed permission check in API from IsAuthenticated to IsAdminUser", - "cve": null, + "cve": "PVE-2021-25758", "id": "pyup.io-25758", "specs": [ "<0.9.9.1" @@ -4649,7 +6000,7 @@ "django-filebrowser-no-grappelli-staff": [ { "advisory": "django-filebrowser-no-grappelli-staff 3.4.2 fixes a XSS vulnerability with fb_tags.", - "cve": null, + "cve": "PVE-2021-25760", "id": "pyup.io-25760", "specs": [ "<3.4.2" @@ -4660,18 +6011,27 @@ "django-filter": [ { "advisory": "Django-filter 2.4.0 added a MaxValueValidator to the form field for NumberFilter. This prevents a potential DoS attack if numbers with very large exponents were subsequently converted to integers.", - "cve": null, + "cve": "PVE-2021-38825", "id": "pyup.io-38825", "specs": [ "<2.4.0" ], "v": "<2.4.0" + }, + { + "advisory": "In django-filter before version 2.4.0, automatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. In addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.", + "cve": "CVE-2020-15225", + "id": "pyup.io-40317", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" } ], "django-fluent-comments": [ { "advisory": "django-fluent-comments 1.0.1 fixes security hash formatting errors on bad requests..", - "cve": null, + "cve": "PVE-2021-25761", "id": "pyup.io-25761", "specs": [ "<1.0.1" @@ -4682,7 +6042,7 @@ "django-formidable": [ { "advisory": "Django-formidable 4.0.0 adds an XSS prevention mechanism.", - "cve": null, + "cve": "PVE-2021-37875", "id": "pyup.io-37875", "specs": [ "<4.0.0" @@ -4693,7 +6053,7 @@ "django-friendship": [ { "advisory": "django-friendship 1.2.0 fixes a security issue where the library was not checking the owner of a FriendRequest during accept and cancelation.", - "cve": null, + "cve": "PVE-2021-25762", "id": "pyup.io-25762", "specs": [ "<1.2.0" @@ -4704,7 +6064,7 @@ "django-guts": [ { "advisory": "django-guts 0.1.1 fixes a security issue, allowing anyone to read any file.", - "cve": null, + "cve": "PVE-2021-25763", "id": "pyup.io-25763", "specs": [ "<0.1.1" @@ -4715,7 +6075,7 @@ "django-hashedfilenamestorage": [ { "advisory": "django-hashedfilenamestorage 2.4 bumps Django dependency requirement to avoid vulnerable Django versions", - "cve": null, + "cve": "PVE-2021-36802", "id": "pyup.io-36802", "specs": [ "<2.4" @@ -4726,7 +6086,7 @@ "django-hashid-field": [ { "advisory": "Django-hashid-field v1.0.0 \r\n\r\nIf you already specified `salt` in fields, like `id = HashidField(salt=\"something\")` everywhere then you're already set, and can upgrade worry-free.\r\n\r\nIf you instead let the module fallback to `salt=settings.SECRET_KEY` (default behavior) then this upgrade will change all of your existing fields. It has been pointed out that it's possible to discover the salt used when encoding Hashids, and thus it is very dangerous to use settings.SECRET_KEY, as an attacker may be able to get your SECRET_KEY from your HashidFields.\r\n\r\nIf you absolutely MUST maintain backwards-compatibility and continue to support your old hashed values, then you can set `HASHID_FIELD_SALT = SECRET_KEY` in your settings. But this is *VERY DISCOURAGED*.", - "cve": null, + "cve": "PVE-2021-38508", "id": "pyup.io-38508", "specs": [ "<1.0.0" @@ -4735,7 +6095,7 @@ }, { "advisory": "Django-hashid-field 3.1.1 fixes a security bug where comparison operators (gt, gte, lt, lte) would allow integer lookups regardless of ALLOW_INT_LOOKUP setting.", - "cve": null, + "cve": "PVE-2021-37680", "id": "pyup.io-37680", "specs": [ "<3.1.1" @@ -4746,7 +6106,7 @@ "django-haystack": [ { "advisory": "django-haystack 1.1 removes insecure use of ``eval`` from the Whoosh backend.", - "cve": null, + "cve": "PVE-2021-25764", "id": "pyup.io-25764", "specs": [ "<1.1" @@ -4757,7 +6117,7 @@ "django-heartbeat": [ { "advisory": "Django-heartbeat 2.0.3 fixes its dependency to an insecure psutil package.", - "cve": null, + "cve": "PVE-2021-38604", "id": "pyup.io-38604", "specs": [ "<2.0.3" @@ -4768,7 +6128,7 @@ "django-hijack": [ { "advisory": "django-hijack before 1.0.7 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25765", "id": "pyup.io-25765", "specs": [ "<1.0.7" @@ -4779,7 +6139,7 @@ "django-howl": [ { "advisory": "django-howl 1.0.4 updates django version to avoid security warnings.", - "cve": null, + "cve": "PVE-2021-37240", "id": "pyup.io-37240", "specs": [ "<1.0.4" @@ -4788,7 +6148,7 @@ }, { "advisory": "Django-howl 1.0.5 updates Pipfile.lock and test environment to avoid security issues.", - "cve": null, + "cve": "PVE-2021-38069", "id": "pyup.io-38069", "specs": [ "<1.0.5" @@ -4799,7 +6159,7 @@ "django-html5-appcache": [ { "advisory": "django-html5-appcache 0.3.0 added a security check for sensitive views.", - "cve": null, + "cve": "PVE-2021-25766", "id": "pyup.io-25766", "specs": [ "<0.3.0" @@ -4810,7 +6170,7 @@ "django-idempotency-key": [ { "advisory": "Django-idempotency-key 1.1.0 drops support for Django (1.9, 1.10, 1.11). Django 1.11 was dropped because of security issues and is near to its end of life support. Django-idempotency-key 1.1.0 also updates some packages with security issues: Django (>=2.x), Bleach (>=3.1.4), Urllib3 (>=1.24.2).", - "cve": null, + "cve": "PVE-2021-38162", "id": "pyup.io-38162", "specs": [ "<1.1.0" @@ -4821,7 +6181,7 @@ "django-initial-avatars": [ { "advisory": "django-initial-avatars before 0.4 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25767", "id": "pyup.io-25767", "specs": [ "<0.4" @@ -4830,7 +6190,7 @@ }, { "advisory": "django-initial-avatars before 0.5.0 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25768", "id": "pyup.io-25768", "specs": [ "<0.5.0" @@ -4841,7 +6201,7 @@ "django-jet": [ { "advisory": "django-jet 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", - "cve": null, + "cve": "PVE-2021-25769", "id": "pyup.io-25769", "specs": [ "<1.0.4" @@ -4849,6 +6209,28 @@ "v": "<1.0.4" } ], + "django-jet-reboot": [ + { + "advisory": "Django-jet-reboot 1.0.4 fixes a security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", + "cve": "PVE-2021-39370", + "id": "pyup.io-39370", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "django-jinja-knockout": [ + { + "advisory": "'TemplateContext' class is used in Django-jinja-knockout 0.9.0 to manage client-side data injection.", + "cve": "PVE-2021-39610", + "id": "pyup.io-39610", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], "django-js-reverse": [ { "advisory": "django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. See: CVE-2019-15486.", @@ -4863,7 +6245,7 @@ "django-lazysignup": [ { "advisory": "django-lazysignup before 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.", - "cve": null, + "cve": "PVE-2021-25770", "id": "pyup.io-25770", "specs": [ "<0.4.0" @@ -4874,7 +6256,7 @@ "django-lazysignup-redux": [ { "advisory": "django-lazysignup-redux 0.4.0 fixes a security issue: Generated usernames are now based on the session key, rather than actually being the session key. This is to avoid a potential security issue where an app might simply display a username, giving away a significant part of the user's session key. The username is now generated from a SHA1 hash of the session key. This change means that existing generated users will become invalid.", - "cve": null, + "cve": "PVE-2021-25771", "id": "pyup.io-25771", "specs": [ "<0.4.0" @@ -4885,7 +6267,7 @@ "django-lfs": [ { "advisory": "django-lfs before 0.6.9 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25772", "id": "pyup.io-25772", "specs": [ "<0.6.9" @@ -4896,7 +6278,7 @@ "django-mail-auth": [ { "advisory": "Django-mail-auth 0.1.3 fixes session key security issues.", - "cve": null, + "cve": "PVE-2021-37171", "id": "pyup.io-37171", "specs": [ "<0.1.3" @@ -4918,7 +6300,7 @@ "django-mapstore-adapter": [ { "advisory": "Django-mapstore-adapter 1.0.4 fixes an unescaped \"ms2_config\" which may cause JS injection.", - "cve": null, + "cve": "PVE-2021-38936", "id": "pyup.io-38936", "specs": [ "<1.0.4" @@ -4949,7 +6331,7 @@ "django-material": [ { "advisory": "django-material 0.9.0 fixes a XSS vulnerability in input fields.", - "cve": null, + "cve": "PVE-2021-25775", "id": "pyup.io-25775", "specs": [ "<0.9.0" @@ -4958,7 +6340,7 @@ }, { "advisory": "django-material before 1.5.1 included a js injection vulnerability in a list view", - "cve": null, + "cve": "PVE-2021-36950", "id": "pyup.io-36950", "specs": [ "<1.5.1" @@ -4969,7 +6351,7 @@ "django-material-orange": [ { "advisory": "django-material-orange before 0.9.0 has a XSS vulnerability in input fields.", - "cve": null, + "cve": "PVE-2021-32207", "id": "pyup.io-32207", "specs": [ "<0.9.0" @@ -4980,7 +6362,7 @@ "django-material-saldoo": [ { "advisory": "django-material-saldoo before 0.9.0 has a XSS vulnerability in input fields.", - "cve": null, + "cve": "PVE-2021-32243", "id": "pyup.io-32243", "specs": [ "<0.9.0" @@ -4991,7 +6373,7 @@ "django-modern-rpc": [ { "advisory": "django-modern-rpc before 0.8.1 isn't correctly checking the authentication backend when executing 'system.multicall()'.", - "cve": null, + "cve": "PVE-2021-34991", "id": "pyup.io-34991", "specs": [ "<0.8.1" @@ -5002,7 +6384,7 @@ "django-music-publisher": [ { "advisory": "Django 2.1 had a minor security issue, so 2.1.2 was promptly released.. django-music-publisher before 18.9.1 included this issue.", - "cve": null, + "cve": "PVE-2021-36523", "id": "pyup.io-36523", "specs": [ "<18.9.1" @@ -5011,7 +6393,7 @@ }, { "advisory": "django-music-publisher 18.9.3 updates Django to fix a minor security issue.", - "cve": null, + "cve": "PVE-2021-36608", "id": "pyup.io-36608", "specs": [ "<18.9.3" @@ -5022,7 +6404,7 @@ "django-nameko-standalone": [ { "advisory": "Django-nameko-standalone 1.3.2 updates its Django version to avoid security warnings.", - "cve": null, + "cve": "PVE-2021-38565", "id": "pyup.io-38565", "specs": [ "<1.3.2" @@ -5033,7 +6415,7 @@ "django-newsletter": [ { "advisory": "django-newsletter before 0.7 allowed a user to subscribe others to the newsletter without authorization.", - "cve": null, + "cve": "PVE-2021-36318", "id": "pyup.io-36318", "specs": [ "<0.7" @@ -5042,7 +6424,7 @@ }, { "advisory": "django-newsletter 0.9 updates several dependencies (waitress, Django) due to security issues", - "cve": null, + "cve": "PVE-2021-37916", "id": "pyup.io-37916", "specs": [ "<0.9" @@ -5051,7 +6433,7 @@ }, { "advisory": "Django-newsletter 0.9b1 updates several dependencies due to security issues.", - "cve": null, + "cve": "PVE-2021-37677", "id": "pyup.io-37677", "specs": [ "<0.9b1" @@ -5062,7 +6444,7 @@ "django-ninecms": [ { "advisory": "django-ninecms before 0.4.5b has a unknown security issue in its url configuration.", - "cve": null, + "cve": "PVE-2021-25776", "id": "pyup.io-25776", "specs": [ "<0.4.5b" @@ -5072,7 +6454,7 @@ ], "django-nopassword": [ { - "advisory": "Django-nopassword before 5.0.0 stores cleartext secrets in the database. See: CVE-2019-10682.", + "advisory": "django-nopassword before 5.0.0 stores cleartext secrets in the database. See: CVE-2019-10682.", "cve": "CVE-2019-10682", "id": "pyup.io-38080", "specs": [ @@ -5081,10 +6463,21 @@ "v": "<5.0.0" } ], + "django-oauth-toolkit": [ + { + "advisory": "Django-oauth-toolkit 0.8.0 includes fixes for various vulnerabilities on 'Basic' authentication.", + "cve": "PVE-2021-39609", + "id": "pyup.io-39609", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + } + ], "django-orghierarchy": [ { "advisory": "Django-orghierarchy 0.1.13 updates Django for security reasons.", - "cve": null, + "cve": "PVE-2021-37039", "id": "pyup.io-37039", "specs": [ "<0.1.13" @@ -5093,7 +6486,7 @@ }, { "advisory": "Django-orghierarchy 0.1.18 includes a not further specified security update.", - "cve": null, + "cve": "PVE-2021-37038", "id": "pyup.io-37038", "specs": [ "<0.1.18" @@ -5104,7 +6497,7 @@ "django-perms-provisioner": [ { "advisory": "Django-perms-provisioner 0.0.4 updates PyYAML to a more secure version.", - "cve": null, + "cve": "PVE-2021-38289", "id": "pyup.io-38289", "specs": [ "<0.0.4" @@ -5126,7 +6519,7 @@ "django-pluggable-filebrowser": [ { "advisory": "django-pluggable-filebrowser 3.4.2 fixes a security bug: added staff_member_required decorator to the upload-function.", - "cve": null, + "cve": "PVE-2021-25778", "id": "pyup.io-25778", "specs": [ "<3.4.2" @@ -5137,7 +6530,7 @@ "django-polaris": [ { "advisory": "Improvements in the Multi-signature Asset Distribution Account Support allow anchors since django-polaris version 1.1.0 to improve the security of the account that controls outbound payments.", - "cve": null, + "cve": "PVE-2021-38837", "id": "pyup.io-38837", "specs": [ "<1.1.0" @@ -5148,7 +6541,7 @@ "django-postman": [ { "advisory": "django-postman 3.6.2 fixes issue 101, for security concern, ignore the scheme and domain parts in the 'next' query param.", - "cve": null, + "cve": "PVE-2021-36667", "id": "pyup.io-36667", "specs": [ "<3.6.2" @@ -5159,7 +6552,7 @@ "django-python3-ldap": [ { "advisory": "django-python3-ldap 0.9.5 fixes a security vulnerability where username and password could be transmitted in plain text before starting TLS.", - "cve": null, + "cve": "PVE-2021-25779", "id": "pyup.io-25779", "specs": [ "<0.9.5" @@ -5168,7 +6561,7 @@ }, { "advisory": "django-python3-ldap 0.9.8 fixes a security vulnerability allowing users to authenticate with a valid username but with an empty password if anonymous authentication is allowed on the LDAP server.", - "cve": null, + "cve": "PVE-2021-25780", "id": "pyup.io-25780", "specs": [ "<0.9.8" @@ -5176,10 +6569,21 @@ "v": "<0.9.8" } ], + "django-qiyu-token": [ + { + "advisory": "Django-qiyu-token 0.1.2 adds security API.", + "cve": "PVE-2021-41026", + "id": "pyup.io-41026", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + } + ], "django-rated": [ { "advisory": "django-rated before 1.1.2 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25781", "id": "pyup.io-25781", "specs": [ "<1.1.2" @@ -5190,18 +6594,27 @@ "django-registration": [ { "advisory": "django-registration before 1.7 leaked password reset token through the Referer\r\nheader.", - "cve": null, + "cve": "PVE-2021-36431", "id": "pyup.io-36431", "specs": [ "<1.7" ], "v": "<1.7" + }, + { + "advisory": "django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password). See CVE-2021-21416.", + "cve": "CVE-2021-21416", + "id": "pyup.io-40136", + "specs": [ + "<3.1.2" + ], + "v": "<3.1.2" } ], "django-registration-redux": [ { "advisory": "django-registration-redux before 1.7 leaks password reset tokens through the Referer header. For more info, see: https://github.com/macropin/django-registration/pull/268", - "cve": null, + "cve": "PVE-2021-35199", "id": "pyup.io-35199", "specs": [ "<1.7" @@ -5212,7 +6625,7 @@ "django-relatives": [ { "advisory": "django-relatives before 0.3.0 is vulnerable to a unspecified XSS issue.", - "cve": null, + "cve": "PVE-2021-25782", "id": "pyup.io-25782", "specs": [ "<0.3.0" @@ -5222,18 +6635,18 @@ ], "django-rest-registration": [ { - "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: .", - "cve": null, - "id": "pyup.io-37385", + "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.", + "cve": "CVE-2019-13177", + "id": "pyup.io-37266", "specs": [ "<0.5.0" ], "v": "<0.5.0" }, { - "advisory": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.", - "cve": "CVE-2019-13177", - "id": "pyup.io-37266", + "advisory": "Django-rest-registration 0.5.0 fixes a critical security issue with misusing the Django Signer API. See: .", + "cve": "PVE-2021-37385", + "id": "pyup.io-37385", "specs": [ "<0.5.0" ], @@ -5243,7 +6656,7 @@ "django-revproxy": [ { "advisory": "django-revproxy 0.9.6 fixes a security issue that allowed remote-user header injection.", - "cve": null, + "cve": "PVE-2021-25783", "id": "pyup.io-25783", "specs": [ "<0.9.6" @@ -5252,7 +6665,7 @@ }, { "advisory": "django-revproxy 0.9.7 fixes a security issue: when colon is present at URL path urljoin ignores the upstream and the request is redirected to the path itself allowing content injection.", - "cve": null, + "cve": "PVE-2021-25784", "id": "pyup.io-25784", "specs": [ "<0.9.7" @@ -5263,7 +6676,7 @@ "django-safedelete": [ { "advisory": "django-safedelete 0.3.3 contains a security fix that prevents an XSS attack in the admin interface.", - "cve": null, + "cve": "PVE-2021-25785", "id": "pyup.io-25785", "specs": [ "<0.3.3" @@ -5274,7 +6687,7 @@ "django-secure-auth": [ { "advisory": "django-secure-auth 1.1 includes undisclosed security fixes.", - "cve": null, + "cve": "PVE-2021-34185", "id": "pyup.io-34185", "specs": [ "<1.1" @@ -5285,7 +6698,7 @@ "django-select2": [ { "advisory": "django-select2 5.7.0 contains a security fix that allows a `field_id` to only be used for the intended JSON endpoint.", - "cve": null, + "cve": "PVE-2021-25787", "id": "pyup.io-25787", "specs": [ "<5.7.0" @@ -5296,7 +6709,7 @@ "django-selectable": [ { "advisory": "django-selectable 0.5.2 fixes a XSS flaw with lookup ``get_item_*`` methods.", - "cve": null, + "cve": "PVE-2021-25788", "id": "pyup.io-25788", "specs": [ "<0.5.2" @@ -5307,7 +6720,7 @@ "django-server": [ { "advisory": "django-server is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34982", "id": "pyup.io-34982", "specs": [ ">0", @@ -5319,7 +6732,7 @@ "django-session-security": [ { "advisory": "django-session-security 2.4.0 fixes a vulnerability when SESSION_EXPIRE_AT_BROWSER_CLOSE is off.", - "cve": null, + "cve": "PVE-2021-25789", "id": "pyup.io-25789", "specs": [ "<2.4.0" @@ -5330,7 +6743,7 @@ "django-smart-lists": [ { "advisory": "Django-smart-lists 1.0.26 fixes a XSS vulnerability in the render_function.", - "cve": null, + "cve": "PVE-2021-38150", "id": "pyup.io-38150", "specs": [ "<1.0.26" @@ -5341,7 +6754,7 @@ "django-smart-selects": [ { "advisory": "django-smart-selects before 1.5.0 allowed anybody to list arbitrary objects by tweaking URL parameters. 1.5.0 adds checks to the views to ensure that queries return an HTTP 403 (Permission denied) for models that do not have smart_selects fields defined.", - "cve": null, + "cve": "PVE-2021-34234", "id": "pyup.io-34234", "specs": [ "<1.5.1" @@ -5352,7 +6765,7 @@ "django-social-auth": [ { "advisory": "django-social-auth 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", - "cve": null, + "cve": "PVE-2021-25790", "id": "pyup.io-25790", "specs": [ "<0.7.2" @@ -5363,7 +6776,7 @@ "django-social-auth3": [ { "advisory": "django-social-auth3 0.7.2 fixes a security hole - redirects via the next param are now properly sanitized to disallow redirecting to external hosts.", - "cve": null, + "cve": "PVE-2021-25791", "id": "pyup.io-25791", "specs": [ "<0.7.2" @@ -5371,10 +6784,30 @@ "v": "<0.7.2" } ], + "django-sql-dashboard": [ + { + "advisory": "Django-sql-dashboard 0.14 fixes a security and permissions flaw, where users without the 'execute_sql' permission could still run custom queries by editing saved dashboards using the Django admin interface.", + "cve": "PVE-2021-40482", + "id": "pyup.io-40482", + "specs": [ + "<0.14" + ], + "v": "<0.14" + } + ], "django-sql-explorer": [ + { + "advisory": "Users in django-sql-explorer version 0.5 with view permissions can use query parameters. This results in a potential for SQL injection.", + "cve": "PVE-2021-39445", + "id": "pyup.io-39445", + "specs": [ + "<0.5" + ], + "v": "<0.5" + }, { "advisory": "django-sql-explorer before 1.1.0 isn't escaping values from the database correctly, making it open for potential XSS-attacks.", - "cve": null, + "cve": "PVE-2021-33293", "id": "pyup.io-33293", "specs": [ "<1.1.0" @@ -5385,7 +6818,7 @@ "django-sticky-uploads": [ { "advisory": "django-sticky-uploads 0.2.0 fixes a security issue related to client changing the upload url specified by the widget for the upload.", - "cve": null, + "cve": "PVE-2021-25793", "id": "pyup.io-25793", "specs": [ "<0.2.0" @@ -5396,7 +6829,7 @@ "django-storages": [ { "advisory": "In django-storages before 1.7 - the ``S3BotoStorage`` and ``S3Boto3Storage`` backends have an insecure default ACL of ``public-read``. It is recommended that all current users upgrade to 1.7 and audit their bucket permissions. Support has been added for setting ``AWS_DEFAULT_ACL = None`` and ``AWS_BUCKET_ACL = None``. V1.7 will raise a warning if ``AWS_DEFAULT_ACL`` or ``AWS_BUCKET_ACL`` is not explicitly set.", - "cve": null, + "cve": "PVE-2021-36434", "id": "pyup.io-36434", "specs": [ "<1.7" @@ -5418,7 +6851,7 @@ "django-triggers": [ { "advisory": "Django-triggers 2.0.13 updates some dependencies to their latest secure versions.", - "cve": null, + "cve": "PVE-2021-37072", "id": "pyup.io-37072", "specs": [ "<2.0.13" @@ -5440,7 +6873,7 @@ "django-ucamlookup": [ { "advisory": "django-ucamlookup 1.9 fixes XXS vulnerability in template macros", - "cve": null, + "cve": "PVE-2021-36744", "id": "pyup.io-36744", "specs": [ "<1.9" @@ -5451,7 +6884,7 @@ "django-uni-form": [ { "advisory": "django-uni-form 0.9.0 fixes a XSS security issue. Errors cannot be rendered safe, because field's input can be part of the error message, that would mean XSS.", - "cve": null, + "cve": "PVE-2021-25796", "id": "pyup.io-25796", "specs": [ "<0.9.0" @@ -5462,7 +6895,7 @@ "django-urlconf-export": [ { "advisory": "Django-urlconf-export 1.1.1 updates Django in pipfile.lock to address a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38386", "id": "pyup.io-38386", "specs": [ "<1.1.1" @@ -5473,7 +6906,7 @@ "django-user-accounts": [ { "advisory": "django-user-accounts before 2.0.2 has a potentional security issue with leaking password reset tokens through HTTP Referer header.", - "cve": null, + "cve": "PVE-2021-34774", "id": "pyup.io-34774", "specs": [ "<2.0.2" @@ -5484,7 +6917,7 @@ "django-user-management": [ { "advisory": "Django-user-management 18.0.0 fixes a Pillow security issue and updates djangorestframework>=3.9.1 for an XSS fix.", - "cve": null, + "cve": "PVE-2021-38634", "id": "pyup.io-38634", "specs": [ "<18.0.0" @@ -5506,7 +6939,7 @@ "django-watchman": [ { "advisory": "django-watchman 0.10.0 improves security by keeping tokens out of logs.", - "cve": null, + "cve": "PVE-2021-25797", "id": "pyup.io-25797", "specs": [ "<0.10.0" @@ -5517,7 +6950,7 @@ "django-x509": [ { "advisory": "Django-x509 0.9.1 updates the minimum version of 'cryptography' to 3.2 for security reasons.", - "cve": null, + "cve": "PVE-2021-39116", "id": "pyup.io-39116", "specs": [ "<0.9.1" @@ -5528,7 +6961,7 @@ "djangocms-admin-style": [ { "advisory": "djangocms-admin-style 1.2.5 fixes a potential security issue if the ``Site.name`` field contains malicious code.", - "cve": null, + "cve": "PVE-2021-36834", "id": "pyup.io-36834", "specs": [ "<1.2.5" @@ -5539,7 +6972,7 @@ "djangocms-highlightjs": [ { "advisory": "djangocms-highlightjs before 0.3.1 has a unspecified security issue and is vulnerable via unknown vectors.", - "cve": null, + "cve": "PVE-2021-25798", "id": "pyup.io-25798", "specs": [ "<0.3.1" @@ -5550,7 +6983,7 @@ "djangorestframework": [ { "advisory": "djangorestframework 2.2.1 fixes a security issue: Use `defusedxml` package to address XML parsing vulnerabilities.", - "cve": null, + "cve": "PVE-2021-25799", "id": "pyup.io-25799", "specs": [ "<2.2.1" @@ -5559,7 +6992,7 @@ }, { "advisory": "djangorestframework 2.3.12 fixes a security issue: `OrderingField` now only allows ordering on readable serializer fields, or on fields explicitly specified using `ordering_fields`. This prevents users being able to order by fields that are not visible in the API, and exploiting the ordering of sensitive data such as password hashes.", - "cve": null, + "cve": "PVE-2021-25800", "id": "pyup.io-25800", "specs": [ "<2.3.12" @@ -5568,7 +7001,7 @@ }, { "advisory": "djangorestframework 2.3.14 fixes a security issue: Escape request path when it is include as part of the login and logout links in the browsable API.", - "cve": null, + "cve": "PVE-2021-25801", "id": "pyup.io-25801", "specs": [ "<2.3.14" @@ -5577,7 +7010,7 @@ }, { "advisory": "djangorestframework 2.4.4 fixes a security issue: Escape URLs when replacing `format=` query parameter, as used in dropdown on `GET` button in browsable API to allow explicit selection of JSON vs HTML output.", - "cve": null, + "cve": "PVE-2021-25802", "id": "pyup.io-25802", "specs": [ "<2.4.4" @@ -5586,7 +7019,7 @@ }, { "advisory": "djangorestframework 2.4.5 fixes a security issue: Escape tab switching cookie name in browsable API. [Backported from 3.1.1]", - "cve": null, + "cve": "PVE-2021-25803", "id": "pyup.io-25803", "specs": [ "<2.4.5" @@ -5595,7 +7028,7 @@ }, { "advisory": "djangorestframework 3.1.1 fixes a security issue: : Escape tab switching cookie name in browsable API.", - "cve": null, + "cve": "PVE-2021-25804", "id": "pyup.io-25804", "specs": [ "<3.1.1" @@ -5615,7 +7048,7 @@ "djangorestframework-api-key": [ { "advisory": "djangorestframework-api-key before 0.2.0 the API key was stored in plaintext in database.", - "cve": null, + "cve": "PVE-2021-36524", "id": "pyup.io-36524", "specs": [ "<0.2.0" @@ -5626,7 +7059,7 @@ "djangorestframework-simplejwt": [ { "advisory": "djangorestframework-simplejwt before 1.5 allowed `__getattr__` access to the underlying JWT through the `rest_framework_simplejwt.module.TokenUser` class.", - "cve": null, + "cve": "PVE-2021-34792", "id": "pyup.io-34792", "specs": [ "<1.5" @@ -5637,15 +7070,24 @@ "djangosaml2": [ { "advisory": "djangosaml2 0.17.2 upgrades the pysaml2 dependency to version 4.6.0 which fixes a security issue.", - "cve": null, + "cve": "PVE-2021-36423", "id": "pyup.io-36423", "specs": [ "<0.17.2" ], "v": "<0.17.2" - } - ], - "djblets": [ + }, + { + "advisory": "Djangosaml2 1.0.1 includes a security update for the PySAML2 dependency.", + "cve": "PVE-2021-39535", + "id": "pyup.io-39535", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], + "djblets": [ { "advisory": "Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name.", "cve": "CVE-2014-3994", @@ -5677,7 +7119,7 @@ "djedefre": [ { "advisory": "djedefre 0.7.0 fixes a security bug in \"djoser.views.UserView\"", - "cve": null, + "cve": "PVE-2021-37913", "id": "pyup.io-37913", "specs": [ "<0.7.0" @@ -5686,7 +7128,7 @@ }, { "advisory": "djedefre 1.3.2 fixes vulnerability of user endpoints.", - "cve": null, + "cve": "PVE-2021-37912", "id": "pyup.io-37912", "specs": [ "<1.3.2" @@ -5695,7 +7137,7 @@ }, { "advisory": "djedefre 1.5.1 fixes a vulnerability of UserViewSet that allows to create new accounts on wrong endpoint", - "cve": null, + "cve": "PVE-2021-37911", "id": "pyup.io-37911", "specs": [ "<1.5.1" @@ -5706,7 +7148,7 @@ "djoser": [ { "advisory": "djoser 0.7.0 fixes a security bug in djoser.views.UserView. (Missing more information)", - "cve": null, + "cve": "PVE-2021-34904", "id": "pyup.io-34904", "specs": [ "<0.7.0" @@ -5715,7 +7157,7 @@ }, { "advisory": "djoser 1.3.2 fixes vulnerability of user endpoints.", - "cve": null, + "cve": "PVE-2021-36711", "id": "pyup.io-36711", "specs": [ "<1.3.2" @@ -5724,7 +7166,7 @@ }, { "advisory": "djoser 1.5.1 fixes a vulnerability of UserViewSet that allowed to create new accounts on wrong endpoint.", - "cve": null, + "cve": "PVE-2021-37010", "id": "pyup.io-37010", "specs": [ "<1.5.1" @@ -5735,7 +7177,7 @@ "dlhub-gateway": [ { "advisory": "Dlhub-gateway 2.0.0 fixes security requirements in the swagger spec.", - "cve": null, + "cve": "PVE-2021-37339", "id": "pyup.io-37339", "specs": [ "<2.0.0" @@ -5746,7 +7188,7 @@ "dmoj": [ { "advisory": "Dmoj 1.4.0 includes a number of enhancements and security fixes.", - "cve": null, + "cve": "PVE-2021-37474", "id": "pyup.io-37474", "specs": [ "<1.4.0" @@ -5755,7 +7197,7 @@ }, { "advisory": "ANSI HTML-ifying has been moved to the site in dmoj 2.0.0 in order to prevent judges from potentially executing HTML injection attacks.", - "cve": null, + "cve": "PVE-2021-38276", "id": "pyup.io-38276", "specs": [ "<2.0.0" @@ -5763,10 +7205,21 @@ "v": "<2.0.0" } ], + "dnsimple": [ + { + "advisory": "Dnsimple 2.1.2 updates its dependencies to address a security issue in urllib3.", + "cve": "PVE-2021-40425", + "id": "pyup.io-40425", + "specs": [ + "<2.1.2" + ], + "v": "<2.1.2" + } + ], "docassemble": [ { "advisory": "Docassemble 0.3.35 includes a more robust code injection detection mechanism.", - "cve": null, + "cve": "PVE-2021-38925", "id": "pyup.io-38925", "specs": [ "<0.3.35" @@ -5775,18 +7228,56 @@ }, { "advisory": "Docassemble 0.5.105 upgrades 'bleach' due to security vulnerability", - "cve": null, + "cve": "PVE-2021-37941", "id": "pyup.io-37941", "specs": [ "<0.5.105" ], "v": "<0.5.105" + }, + { + "advisory": "Docassemble 1.0.12 includes an important fix for a security vulnerability.", + "cve": "PVE-2021-40418", + "id": "pyup.io-40418", + "specs": [ + "<1.0.12" + ], + "v": "<1.0.12" + }, + { + "advisory": "Docassemble 1.1.113 includes an important fix for a security vulnerability.", + "cve": "PVE-2021-40417", + "id": "pyup.io-40417", + "specs": [ + "<1.1.113" + ], + "v": "<1.1.113" + }, + { + "advisory": "Docassemble 1.2.65 includes a fix for an important security vulnerability.", + "cve": "PVE-2021-40397", + "id": "pyup.io-40397", + "specs": [ + "<1.2.65" + ], + "v": "<1.2.65" + } + ], + "doccano": [ + { + "advisory": "Doccano 1.0.3updates nginx.conf to enhance security.", + "cve": "PVE-2021-39243", + "id": "pyup.io-39243", + "specs": [ + "<1.0.3" + ], + "v": "<1.0.3" } ], "docker": [ { "advisory": "docker 3.5.1 bumps version of `pyOpenSSL` in `requirements.txt` and `setup.py` to prevent\r\n installation of a vulnerable version.", - "cve": null, + "cve": "PVE-2021-36783", "id": "pyup.io-36783", "specs": [ "<3.5.1" @@ -5797,7 +7288,7 @@ "docker-registry": [ { "advisory": "docker-registry 0.8.1 has security fixes (path traversing prevention and token validation).", - "cve": null, + "cve": "PVE-2021-25805", "id": "pyup.io-25805", "specs": [ "<0.8.1" @@ -5816,6 +7307,17 @@ "v": "<=10.8.3" } ], + "domonic": [ + { + "advisory": "Domonic 0.2.17 includes a security fix pushed by the 'Dependabot'.", + "cve": "PVE-2021-40325", + "id": "pyup.io-40325", + "specs": [ + "<0.2.17" + ], + "v": "<0.2.17" + } + ], "donfig": [ { "advisory": "An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.", @@ -5830,7 +7332,7 @@ "dpaste": [ { "advisory": "dpaste 2.8 fixes a XSS bug where HTML tags were not properly escaped with the simple ``code`` lexer.", - "cve": null, + "cve": "PVE-2021-25807", "id": "pyup.io-25807", "specs": [ "<2.8" @@ -5841,7 +7343,7 @@ "dplib": [ { "advisory": "dplib 1.4 fixes some security issues and added support for mapchange and namechange events", - "cve": null, + "cve": "PVE-2021-35851", "id": "pyup.io-35851", "specs": [ "<1.4" @@ -5849,10 +7351,32 @@ "v": "<1.4" } ], + "dpymenus": [ + { + "advisory": "Dpymenus 2.1.5 fixes a security issue in the 'urllib3' dependency for versions prior to 1.26.5.", + "cve": "PVE-2021-40583", + "id": "pyup.io-40583", + "specs": [ + "<2.1.5" + ], + "v": "<2.1.5" + } + ], + "draft-kings": [ + { + "advisory": "Draft-kings 2.0.3 updates the version of the 'urllib3' library to '1.25.9' to avoid vulnerabilities associated with version '1.24.3'.", + "cve": "PVE-2021-39238", + "id": "pyup.io-39238", + "specs": [ + "<2.0.3" + ], + "v": "<2.0.3" + } + ], "drf-api-logger": [ { "advisory": "Drf-api-logger 0.0.7 includes the warning that 'allowed hosts protection' is skipped when a RAW_URI value is used for DRF_API_LOGGER_PATH_TYPE. Consequently, an insecure URI may be returned.", - "cve": null, + "cve": "PVE-2021-39108", "id": "pyup.io-39108", "specs": [ "<=0.0.7" @@ -5863,7 +7387,7 @@ "drf-extra-fields": [ { "advisory": "Drf-extra-fields 2.0.0 upgrades Pillow to 6.2.1 to fix a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38809", "id": "pyup.io-38809", "specs": [ "<2.0.0" @@ -5885,7 +7409,7 @@ "drf-tracking": [ { "advisory": "drf-tracking before 1.3.0", - "cve": null, + "cve": "PVE-2021-34856", "id": "pyup.io-34856", "specs": [ "<1.3.0" @@ -5896,7 +7420,7 @@ "droopescan": [ { "advisory": "Droopescan 1.33.1 includes an update of Joomla because of an unauthenticated SQL injection vulnerability.", - "cve": null, + "cve": "PVE-2021-39049", "id": "pyup.io-39049", "specs": [ "<1.33.1" @@ -5907,7 +7431,7 @@ "dtale": [ { "advisory": "Dtale 1.9.1 includes a fix for USE_COLAB to prevent colab proxy endpoint injection.", - "cve": null, + "cve": "PVE-2021-38928", "id": "pyup.io-38928", "specs": [ "<1.9.1" @@ -5926,6 +7450,17 @@ "v": "<0.9.920150320" } ], + "dynamo-release": [ + { + "advisory": "Dynamo-release 0.99 includes fixes for various vulnerabilities.", + "cve": "PVE-2021-40192", + "id": "pyup.io-40192", + "specs": [ + "<0.99" + ], + "v": "<0.99" + } + ], "easy-install": [ { "advisory": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.", @@ -5938,7 +7473,7 @@ }, { "advisory": "easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.", - "cve": null, + "cve": "PVE-2021-33124", "id": "pyup.io-33124", "specs": [ "<0.7" @@ -5949,7 +7484,7 @@ "ec2-metadata": [ { "advisory": "Ec2-metadata 2.2.0 moves to use Instance Metadata Service version 2 due to its increased security - see: https://github.com/adamchainz/ec2-metadata/issues/150", - "cve": null, + "cve": "PVE-2021-38053", "id": "pyup.io-38053", "specs": [ "<2.2.0" @@ -5978,7 +7513,7 @@ }, { "advisory": "In ecdsa 0.14, deterministic signatures verify that the signature won't leak private key through very unlikely selection of `k` value (the nonce). Nonce bit size hiding was added (hardening against Minerva attack). Please note that it DOES NOT make library secure against side channel attacks (timing attacks).", - "cve": null, + "cve": "PVE-2021-37637", "id": "pyup.io-37637", "specs": [ "<0.14" @@ -6000,7 +7535,7 @@ "edx-ecommerce-worker": [ { "advisory": "Edx-ecommerce-worker 0.8.3 updates the version of pyyaml; the previous version has a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38792", "id": "pyup.io-38792", "specs": [ "==0.8.2" @@ -6008,10 +7543,21 @@ "v": "==0.8.2" } ], + "egon": [ + { + "advisory": "Egon 0.4.1 improves security and provides improved performance.", + "cve": "PVE-2021-40568", + "id": "pyup.io-40568", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + } + ], "eh": [ { "advisory": "eh 0.2.8 changes: Fixed pyyaml security issue", - "cve": null, + "cve": "PVE-2021-37217", "id": "pyup.io-37217", "specs": [ "<0.2.8" @@ -6020,7 +7566,7 @@ }, { "advisory": "Eh 1.3.0 fixes a pyyaml security issue.", - "cve": null, + "cve": "PVE-2021-37500", "id": "pyup.io-37500", "specs": [ "<1.3.0" @@ -6042,7 +7588,7 @@ "electrumx": [ { "advisory": "electrumx before 1.4.1 did not use PROTOCOL_MIN to 1.0; this did not prevent 2.9.x clients from connecting\r\n and encouraging upgrades to more recent clients without the security hole.", - "cve": null, + "cve": "PVE-2021-36324", "id": "pyup.io-36324", "specs": [ "<1.4.1" @@ -6050,10 +7596,30 @@ "v": "<1.4.1" } ], + "elyra": [ + { + "advisory": "Elyra 2.2.3 allows secure connections to S3 object storage.", + "cve": "PVE-2021-40313", + "id": "pyup.io-40313", + "specs": [ + "<2.2.3" + ], + "v": "<2.2.3" + }, + { + "advisory": "Elyra 2.3.0b0 allows secure connections to S3 object storage.", + "cve": "PVE-2021-40312", + "id": "pyup.io-40312", + "specs": [ + "<2.3.0b0" + ], + "v": "<2.3.0b0" + } + ], "emcache": [ { "advisory": "Emcache 1.3.6 fixes a security vulnerability by sanitizing key input.", - "cve": null, + "cve": "PVE-2021-38331", "id": "pyup.io-38331", "specs": [ "<1.3.6" @@ -6064,7 +7630,7 @@ "emitter-io": [ { "advisory": "Emitter-io 2.704 fixes a security issue by disallowing pub/sub on extended keys.", - "cve": null, + "cve": "PVE-2021-38320", "id": "pyup.io-38320", "specs": [ "<2.704" @@ -6072,10 +7638,32 @@ "v": "<2.704" } ], + "emrt.necd.content": [ + { + "advisory": "Emrt.necd.content 2.0.15 fixes a possible JavaScript injection.", + "cve": "PVE-2021-40547", + "id": "pyup.io-40547", + "specs": [ + "<2.0.15" + ], + "v": "<2.0.15" + } + ], + "encapsia-api": [ + { + "advisory": "Encapsia-api 0.2.9 updates dependencies for security reasons.", + "cve": "PVE-2021-39689", + "id": "pyup.io-39689", + "specs": [ + "<0.2.9" + ], + "v": "<0.2.9" + } + ], "engineio-client": [ { "advisory": "engineio-client 3.1.2 - Bumps ws to version 1.1.2 (vulnerability fix) (539)", - "cve": null, + "cve": "PVE-2021-36801", "id": "pyup.io-36801", "specs": [ "<3.1.2" @@ -6084,7 +7672,7 @@ }, { "advisory": "engineio-client 3.1.2 removes the parsejson dependency, which is vulnerable to a Regular Expression Denial of Service (NSP advisory [528](https://nodesecurity.io/advisories/528)). Please update as soon as possible.", - "cve": null, + "cve": "PVE-2021-36800", "id": "pyup.io-36800", "specs": [ "<3.1.2" @@ -6093,7 +7681,7 @@ }, { "advisory": "engineio-client 3.1.4 updates the `ws` package, as the previous version was vulnerable to a Regular Expression Denial of Service (NSP advisory [#550](https://nodesecurity.io/advisories/550)). Please update as soon as possible.", - "cve": null, + "cve": "PVE-2021-36799", "id": "pyup.io-36799", "specs": [ "<3.1.4" @@ -6101,10 +7689,21 @@ "v": "<3.1.4" } ], + "envyconfig": [ + { + "advisory": "Envyconfig 1.1.4 upgrades underlying libraries with security alerts.", + "cve": "PVE-2021-40257", + "id": "pyup.io-40257", + "specs": [ + "<1.1.4" + ], + "v": "<1.1.4" + } + ], "epsagon": [ { "advisory": "Epsagon 1.5.0 updates several dependencies in package.json due to vulnerabilities.", - "cve": null, + "cve": "PVE-2021-39030", "id": "pyup.io-39030", "specs": [ "<1.5.0" @@ -6112,10 +7711,21 @@ "v": "<1.5.0" } ], + "epyk": [ + { + "advisory": "Epyk 1.5.6 fixes an external JavaScript text injection issue.", + "cve": "PVE-2021-40189", + "id": "pyup.io-40189", + "specs": [ + "<1.5.6" + ], + "v": "<1.5.6" + } + ], "errbot": [ { "advisory": "errbot 1.3.0 fixes a security issue: the plugin directory permissions were too lax.", - "cve": null, + "cve": "PVE-2021-25812", "id": "pyup.io-25812", "specs": [ "<1.3.0" @@ -6123,10 +7733,21 @@ "v": "<1.3.0" } ], + "ert-storage": [ + { + "advisory": "Ert-storage 0.1.8 enables token-based security for the 'ert-storage'.", + "cve": "PVE-2021-40562", + "id": "pyup.io-40562", + "specs": [ + "<0.1.8" + ], + "v": "<0.1.8" + } + ], "espeakng": [ { "advisory": "Espeakng 1.49.0 fixes many security issues. No details were given.", - "cve": null, + "cve": "PVE-2021-38581", "id": "pyup.io-38581", "specs": [ "<1.49.0" @@ -6135,7 +7756,7 @@ }, { "advisory": "Espeakng 1.50 includes the following security fixes:\r\n\r\n* Fix several crashes in the emoji support.\r\n* Fix several static analysis issues detected by Coverity Scan.\r\n* Fix several static analysis issues detected by Microsoft Visual C++ `/analyze`.\r\n* `oss-fuzz` support for the SSML logic.\r\n* Fix running `make check` with `-fsanitize=address` (LLVM AddressSanitizer).", - "cve": null, + "cve": "PVE-2021-38580", "id": "pyup.io-38580", "specs": [ "<1.50" @@ -6146,7 +7767,7 @@ "esphome": [ { "advisory": "Esphome 1.15.0b1 includes a fix for an http_request ESP32 insecure requests that may return the address of local variable. See: .", - "cve": null, + "cve": "PVE-2021-38623", "id": "pyup.io-38623", "specs": [ "<1.15.0b1" @@ -6157,7 +7778,7 @@ "esptool": [ { "advisory": "esptool before 2.5.0 `digest_secure_bootloader` could produce incorrect digest.", - "cve": null, + "cve": "PVE-2021-36328", "id": "pyup.io-36328", "specs": [ "<2.5.0" @@ -6168,7 +7789,7 @@ "eth-hash": [ { "advisory": "eth-hash before 0.1.5 used an unsafe version of `pycryptodome`. 0.1.5 upgrades `pycryptodome` to `>=3.6.6,<4` to fix this recently discovered vulnerability", - "cve": null, + "cve": "PVE-2021-36438", "id": "pyup.io-36438", "specs": [ "<0.1.5" @@ -6190,7 +7811,7 @@ "ethically": [ { "advisory": "Ethically 0.0.3 fixes security issues with dependencies.", - "cve": null, + "cve": "PVE-2021-37042", "id": "pyup.io-37042", "specs": [ "<0.0.3" @@ -6201,7 +7822,7 @@ "ethsnarks": [ { "advisory": "Ethsnarks 0.18.10.1 fixes security bugs in MiMC-p/p and Miximus.", - "cve": null, + "cve": "PVE-2021-37387", "id": "pyup.io-37387", "specs": [ "<0.18.10.1" @@ -6212,7 +7833,7 @@ "etlstat": [ { "advisory": "etlstat 0.6.1 updates SQLAlchemy in requirements.txt to fix moderate security issues", - "cve": null, + "cve": "PVE-2021-37878", "id": "pyup.io-37878", "specs": [ "<0.6.1" @@ -6223,16 +7844,25 @@ "euphorie": [ { "advisory": "Euphorie 11.1.2 tightens the security on several client views.", - "cve": null, + "cve": "PVE-2021-37459", "id": "pyup.io-37459", "specs": [ "<11.1.2" ], "v": "<11.1.2" }, + { + "advisory": "Euphorie 11.7.1 introduces a new view 'get-resources-timestamp' to not use the protected view 'refresh-resources-timestamp' which will be forbidden by the latest security hot fix.", + "cve": "PVE-2021-40574", + "id": "pyup.io-40574", + "specs": [ + "<11.7.1" + ], + "v": "<11.7.1" + }, { "advisory": "euphorie 6.1 fixes a security issue: modify client to always check if a survey session belongs to the current user.", - "cve": null, + "cve": "PVE-2021-25813", "id": "pyup.io-25813", "specs": [ "<6.1" @@ -6243,7 +7873,7 @@ "eve-alpha": [ { "advisory": "Ave-alpha 0.0.7 adds the `MONGO_QUERY_BLACKLIST` option. This allows blacklisting of mongo query operators that should not be allowed in resource queries (``?where=``). Defaults to ['$where', '$regex']. Mongo Javascript operators are disabled by default as they might be used as vectors for injection attacks. Javascript queries also tend to be slow and generally can be easily replaced with the /(very rich) Mongo query dialect.", - "cve": null, + "cve": "PVE-2021-37162", "id": "pyup.io-37162", "specs": [ "<0.0.7" @@ -6251,10 +7881,21 @@ "v": "<0.0.7" } ], + "event-scheduler": [ + { + "advisory": "EventU002dscheduler 0.1.2 updates the 'urllib3' dependency due to security issues.", + "cve": "PVE-2021-40343", + "id": "pyup.io-40343", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + } + ], "event-tracking": [ { "advisory": "event-tracking 0.2.9 changes: This upgrade will fix the security vulnerability in the old versions of jinja2.", - "cve": null, + "cve": "PVE-2021-37232", "id": "pyup.io-37232", "specs": [ "<0.2.9" @@ -6262,10 +7903,30 @@ "v": "<0.2.9" } ], + "eventlet": [ + { + "advisory": "Eventlet 0.31.0 includes an important security fix (websocket: Limit maximum uncompressed frame length to 8MiB).", + "cve": "PVE-2021-40399", + "id": "pyup.io-40399", + "specs": [ + "<0.31.0" + ], + "v": "<0.31.0" + }, + { + "advisory": "A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.", + "cve": "CVE-2021-21419", + "id": "pyup.io-40416", + "specs": [ + "<0.31.0" + ], + "v": "<0.31.0" + } + ], "eventmq": [ { "advisory": "Eventmq 0.3.13rc1 upgrades the psutil dependency to a more secure version.", - "cve": null, + "cve": "PVE-2021-38402", "id": "pyup.io-38402", "specs": [ "<0.3.13rc1" @@ -6273,10 +7934,63 @@ "v": "<0.3.13rc1" } ], + "exgrex-py": [ + { + "advisory": "Exgrex-py 0.3a2 updates various underlying dependencies (Pygments -> 2.7.4, urllib3 -> 1.26.4, cryptography -> 3.3.2, bleach -> 3.3.0).", + "cve": "PVE-2021-40142", + "id": "pyup.io-40142", + "specs": [ + "<0.3a2" + ], + "v": "<0.3a2" + } + ], + "exgrex-pytest": [ + { + "advisory": "Exgrex-pytest 0.1a2 updates underlying dependencies for the security reasons (urllib3 -> 1.26.4, cryptography -> 3.3.2, bleach -> 3.3.0).", + "cve": "PVE-2021-40148", + "id": "pyup.io-40148", + "specs": [ + "<0.1a2" + ], + "v": "<0.1a2" + } + ], + "exoskeleton": [ + { + "advisory": "Exoskeleton 1.2.1 requires lxml version >= 4.6.2 (released 2020-11-26) as it fixes a vulnerability.", + "cve": "PVE-2021-39207", + "id": "pyup.io-39207", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + }, + { + "advisory": "Exoskeleton 1.2.5 updates the 'lxml' dependency to '4.6.3' (security update).", + "cve": "PVE-2021-40224", + "id": "pyup.io-40224", + "specs": [ + "<1.2.5" + ], + "v": "<1.2.5" + } + ], + "experimaestro": [ + { + "advisory": "Experimaestro 0.7.11 includes an NPM packages update (for security proposes).", + "cve": "PVE-2021-39420", + "id": "pyup.io-39420", + "specs": [ + "<0.7.11" + ], + "v": "<0.7.11" + } + ], "extensiveautomation-server": [ { "advisory": "Extensiveautomation-server 12.1.0 reactivates SSLv3 cipher to support Linux client in python 2.6, fixes a security issue on folder creation in repository (no more full rights), and fixes a security issue on web services (bad handle of the level access).", - "cve": null, + "cve": "PVE-2021-37348", "id": "pyup.io-37348", "specs": [ "<12.1.0" @@ -6285,7 +7999,7 @@ }, { "advisory": "Extensiveautomation-server 13.0.0 includes various security improvements:\r\n- No longer uses truncate tables.\r\n- No longer creates folders with 777 mode.\r\n- Includes a new script to secure the server after a from-scratch installation.\r\n- Dumps mysql user in settings file, with updates on all services.", - "cve": null, + "cve": "PVE-2021-37347", "id": "pyup.io-37347", "specs": [ "<13.0.0" @@ -6294,7 +8008,7 @@ }, { "advisory": "Extensiveautomation-server 14.0.0 includes various security updates:\r\n- It has a minor improvement to secure the product (php and apache).\r\n- It encrypts test environment data.\r\n- It no longer run server as root.\r\n- It no longer uses the root account for database access.", - "cve": null, + "cve": "PVE-2021-37346", "id": "pyup.io-37346", "specs": [ "<14.0.0" @@ -6303,7 +8017,7 @@ }, { "advisory": "Extensiveautomation-server 16.0.0 fixes a security issue on rest API: it fixes the error on the get variables listing.", - "cve": null, + "cve": "PVE-2021-37345", "id": "pyup.io-37345", "specs": [ "<16.0.0" @@ -6325,7 +8039,7 @@ "faker": [ { "advisory": "Faker 0.1 includes the message: \"`bundler-audit` has identified that i18 has fix a security vulnerability, that has been fixed in the 0.8 version.\"", - "cve": null, + "cve": "PVE-2021-37386", "id": "pyup.io-37386", "specs": [ "<0.1" @@ -6333,10 +8047,32 @@ "v": "<0.1" } ], + "fangfrisch": [ + { + "advisory": "Fangfrisch 1.4.0 removes 'url_doppelstern' and 'url_crdfam_clamav' from Sanesecurity's provider section because the related signatures are no longer maintained and/or no longer distributed by Sanesecurity.", + "cve": "PVE-2021-39615", + "id": "pyup.io-39615", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" + } + ], + "faraday-agent-dispatcher": [ + { + "advisory": "Faraday-agent-dispatcher 1.2.1 escapes user-controlled executor parameters in order to prevent OS argument injection (not command injection).", + "cve": "PVE-2021-39351", + "id": "pyup.io-39351", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + } + ], "fast-curator": [ { "advisory": "Fast-curator 0.2.2 switches to pyyaml `safe_load` for better security.", - "cve": null, + "cve": "PVE-2021-37514", "id": "pyup.io-37514", "specs": [ "<0.2.2" @@ -6347,7 +8083,7 @@ "fastapi": [ { "advisory": "Fastapi 0.18.0 updates dependencies for security reasons.", - "cve": null, + "cve": "PVE-2021-37084", "id": "pyup.io-37084", "specs": [ "<0.18.0" @@ -6356,7 +8092,7 @@ }, { "advisory": "Fastapi 0.30.0 avoids/fixes a potential security issue: as the returned object is passed directly to Pydantic, if the returned object was a subclass of the `response_model` (e.g. you return a `UserInDB` that inherits from `User` but contains extra fields, like `hashed_password`, and `User` is used in the `response_model`), it would still pass the validation (because `UserInDB` is a subclass of `User`) and the object would be returned as-is, including the `hashed_password`. To fix this, the declared `response_model` is cloned, if it is a Pydantic model class (or contains Pydantic model classes in it, e.g. in a `List[Item]`), the Pydantic model class(es) will be a different one (the \"cloned\" one). So, an object that is a subclass won't simply pass the validation and returned as-is, because it is no longer a sub-class of the cloned `response_model`. Instead, a new Pydantic model object will be created with the contents of the returned object. So, it will be a new object (made with the data from the returned one), and will be filtered by the cloned `response_model`, containing only the declared fields as normally.", - "cve": null, + "cve": "PVE-2021-37231", "id": "pyup.io-37231", "specs": [ "<0.30.0" @@ -6365,7 +8101,7 @@ }, { "advisory": "Fastapi 0.37.0 fixes a security issue: when returning a sub-class of a response model and using `skip_defaults` it could leak information. See: https://github.com/tiangolo/fastapi/pull/485", - "cve": null, + "cve": "PVE-2021-37428", "id": "pyup.io-37428", "specs": [ "<0.37.0" @@ -6374,29 +8110,76 @@ }, { "advisory": "Fastapi 0.60.2 fixes typos in docs for 'security' chapter.", - "cve": null, + "cve": "PVE-2021-38670", "id": "pyup.io-38670", "specs": [ "<0.60.2" ], "v": "<0.60.2" + }, + { + "advisory": "Fastapi 0.65.1 upgrades pydantic pin, to handle CVE-2021-29510.", + "cve": "CVE-2021-29510", + "id": "pyup.io-40443", + "specs": [ + "<0.65.1" + ], + "v": "<0.65.1" + }, + { + "advisory": "FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround. See also CVE-2021-32677.", + "cve": "CVE-2021-32677", + "id": "pyup.io-40667", + "specs": [ + "<0.65.2" + ], + "v": "<0.65.2" } ], "fastapi-login": [ { "advisory": "Fastapi-login 1.4.0 fixes a security vulnerability found in uvicorn", - "cve": null, + "cve": "PVE-2021-38783", "id": "pyup.io-38783", "specs": [ "<1.4.0" ], "v": "<1.4.0" + }, + { + "advisory": "Fastapi-login 1.6.0 updates underlying packages to fix security vulnerabilities.", + "cve": "PVE-2021-40234", + "id": "pyup.io-40234", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" + }, + { + "advisory": "Fastapi-login 1.6.1 includes updates of dependencies. This fixes several security issues found in dependencies.", + "cve": "PVE-2021-40652", + "id": "pyup.io-40652", + "specs": [ + "<1.6.1" + ], + "v": "<1.6.1" + } + ], + "fastapi-restful": [ + { + "advisory": "Fastapi-restful 0.3.1 includes a fix for the 'pydantic' dependency (update is required).", + "cve": "CVE-2021-29510", + "id": "pyup.io-40814", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" } ], "fastecdsa": [ { "advisory": "Fastecdsa 2.1.5 fixes the timing leakage from nonce bit length. This is also known as the 'Minerva' vulnerability. See: .", - "cve": null, + "cve": "PVE-2021-38743", "id": "pyup.io-38743", "specs": [ "<2.1.5" @@ -6407,7 +8190,7 @@ "featureserver": [ { "advisory": "featureserver before 1.06 allowed JSON callbacks.", - "cve": null, + "cve": "PVE-2021-25814", "id": "pyup.io-25814", "specs": [ "<1.06" @@ -6415,6 +8198,17 @@ "v": "<1.06" } ], + "fedcloudclient": [ + { + "advisory": "Fedcloudclient 1.1.0 improves error checking and enhances security.", + "cve": "PVE-2021-40139", + "id": "pyup.io-40139", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], "fedmsg": [ { "advisory": "FedMsg 0.18.1 and older is vulnerable to a message validation flaw resulting in message validation not being enabled if configured to be on.", @@ -6426,10 +8220,21 @@ "v": "<0.18.2" } ], + "fedn": [ + { + "advisory": "Fedn 0.2.3 includes several bugfixes and security patches.", + "cve": "PVE-2021-40830", + "id": "pyup.io-40830", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + } + ], "fedora": [ { "advisory": "Fedora 0.3.10 has some methods to help deal with CSRF, which is a vulnerability that can allow malicious web sites to execute server methods on behalf of an authenticated user.", - "cve": null, + "cve": "PVE-2021-38173", "id": "pyup.io-38173", "specs": [ "<0.3.10" @@ -6438,7 +8243,7 @@ }, { "advisory": "Fedora 0.3.34 fixes the jsglobals.html template to escape usernames and human names to fix a potential XSS flaw. It also makes flask-fas-openid check that the page it is returning the user to after authentication is from within the application.", - "cve": null, + "cve": "PVE-2021-38171", "id": "pyup.io-38171", "specs": [ "<0.3.34" @@ -6504,10 +8309,21 @@ "v": "<5.1.2" } ], + "fiduswriter": [ + { + "advisory": "Fiduswriter 3.9.24 includes security updates for 'Django' and 'Pillow' dependencies.", + "cve": "PVE-2021-40866", + "id": "pyup.io-40866", + "specs": [ + "<3.9.24" + ], + "v": "<3.9.24" + } + ], "fincity-django-allauth": [ { "advisory": "In fincity-django-allauth 0.18.0, the Persona provider now requires the ``AUDIENCE`` parameter to be explicitly configured, as required by the Persona specification for security reasons. Also, the inline Javascript is removed from the ``fbconnect.html`` template, which allows for a more strict ``Content-Security-Policy``. If you were using the builtin ``fbconnect.html`` this change should go by unnoticed.", - "cve": null, + "cve": "PVE-2021-37466", "id": "pyup.io-37466", "specs": [ "<0.18.0" @@ -6516,7 +8332,7 @@ }, { "advisory": "Version prior to fincity-django-allauth 0.28.0 contained a vulnerability allowing an attacker to alter the provider specific settings for ``SCOPE`` and/or ``AUTH_PARAMS`` (part of the larger ``SOCIALACCOUNT_PROVIDERS`` setting). The changes would persist across subsequent requests for all users, provided these settings were explicitly set within your project. These settings translate directly into request parameters, giving the attacker undesirable control over the OAuth(2) handshake. You are not affected if you did not explicitly configure these settings.", - "cve": null, + "cve": "PVE-2021-37464", "id": "pyup.io-37464", "specs": [ "<0.28.0" @@ -6525,7 +8341,7 @@ }, { "advisory": "Password reset tokens in fincity-django-allauth 0.33.0 are prevented from being leaked through the password reset URL.", - "cve": null, + "cve": "PVE-2021-38514", "id": "pyup.io-38514", "specs": [ "<0.33.0" @@ -6534,7 +8350,7 @@ }, { "advisory": "Before fincity-django-allauth 0.34.0, the \"Set Password\" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.", - "cve": null, + "cve": "PVE-2021-37463", "id": "pyup.io-37463", "specs": [ "<0.34.0" @@ -6543,7 +8359,7 @@ }, { "advisory": "As an extra security measure on top of what the standard Django password reset token generator is already facilitating, allauth in fincity-django-allauth 0.35.0 adds the user email address to the hash such that whenever the user's email address changes the token is invalidated.", - "cve": null, + "cve": "PVE-2021-37462", "id": "pyup.io-37462", "specs": [ "<0.35.0" @@ -6552,7 +8368,7 @@ }, { "advisory": "The authentication backend in fincity-django-allauth before 0.36.0 did not invoke the `user_can_authenticate()` method, potentially allowing users with `is_active=False` to authenticate when the allauth authentication backend was used in a non allauth context.", - "cve": null, + "cve": "PVE-2021-38513", "id": "pyup.io-38513", "specs": [ "<0.36.0" @@ -6561,7 +8377,7 @@ }, { "advisory": "Before fincity-django-allauth 0.38.0, the ``{% user_display user %}`` tag did not escape properly. Depending on the username validation rules, this could lead to XSS issues.", - "cve": null, + "cve": "PVE-2021-37465", "id": "pyup.io-37465", "specs": [ "<0.38.0" @@ -6569,10 +8385,21 @@ "v": "<0.38.0" } ], + "firepyer": [ + { + "advisory": "Firepyer 0.0.2 adds system, security policy and ICMP methods.", + "cve": "PVE-2021-39442", + "id": "pyup.io-39442", + "specs": [ + "<0.0.2" + ], + "v": "<0.0.2" + } + ], "flambe": [ { "advisory": "Flambe 0.4.16 fixes a vulnerability with PyYAML < 5.3.1.", - "cve": null, + "cve": "PVE-2021-38138", "id": "pyup.io-38138", "specs": [ "<0.4.16" @@ -6583,7 +8410,7 @@ "flashfocus": [ { "advisory": "flashfocus 1.2.0 updates pyaml version in requirements due to security vulnerability", - "cve": null, + "cve": "PVE-2021-36825", "id": "pyup.io-36825", "specs": [ "<1.2.0" @@ -6603,7 +8430,7 @@ }, { "advisory": "flask 0.6.1 fixes a security problem that allowed clients to download arbitrary files if the host server was a windows based operating system and the client uses backslashes to escape the directory the files where exposed from.", - "cve": null, + "cve": "PVE-2021-25820", "id": "pyup.io-25820", "specs": [ "<0.6.1" @@ -6623,7 +8450,7 @@ "flask-admin": [ { "advisory": "flask-admin 1.3.0 fixes a XSS vulnerability in column_editable_list values.", - "cve": null, + "cve": "PVE-2021-25821", "id": "pyup.io-25821", "specs": [ "<1.3.0" @@ -6632,7 +8459,7 @@ }, { "advisory": "flask-admin before 1.5.2 had an XSS vulnerability.", - "cve": null, + "cve": "PVE-2021-36408", "id": "pyup.io-36408", "specs": [ "<1.5.2" @@ -6641,7 +8468,7 @@ }, { "advisory": "flask-admin 1.5.3 fixes an XSS vulnerability", - "cve": null, + "cve": "PVE-2021-36746", "id": "pyup.io-36746", "specs": [ "<1.5.3" @@ -6658,10 +8485,21 @@ "v": "<=1.5.2" } ], + "flask-api-tools": [ + { + "advisory": "Flask-api-tools 1.6.2 fixes a security vulnerability discovered and patched in a dependency. See also .", + "cve": "PVE-2021-40044", + "id": "pyup.io-40044", + "specs": [ + "<1.6.2" + ], + "v": "<1.6.2" + } + ], "flask-appbuilder": [ { "advisory": "Flask-appbuilder 0.2.0 includes reset password corrections.", - "cve": null, + "cve": "PVE-2021-37060", "id": "pyup.io-37060", "specs": [ "<0.2.0" @@ -6669,18 +8507,18 @@ "v": "<0.2.0" }, { - "advisory": "Flask-appbuilder 0.7.8 has better security than previous versions. No details are given.", - "cve": null, - "id": "pyup.io-37064", + "advisory": "flask-appbuilder 0.7.8 adds new, added optional parameter \"label\" and \"category_label\" for menu items, better security and i18n", + "cve": "PVE-2021-37905", + "id": "pyup.io-37905", "specs": [ "<0.7.8" ], "v": "<0.7.8" }, { - "advisory": "flask-appbuilder 0.7.8 adds new, added optional parameter \"label\" and \"category_label\" for menu items, better security and i18n", - "cve": null, - "id": "pyup.io-37905", + "advisory": "Flask-appbuilder 0.7.8 has better security than previous versions. No details are given.", + "cve": "PVE-2021-37064", + "id": "pyup.io-37064", "specs": [ "<0.7.8" ], @@ -6688,7 +8526,7 @@ }, { "advisory": "flask-appbuilder 1.9.0 prevents masquerade attacks through oauth providers", - "cve": null, + "cve": "PVE-2021-37828", "id": "pyup.io-37828", "specs": [ "<1.9.0" @@ -6697,7 +8535,7 @@ }, { "advisory": "Flask-appbuilder 1.9.0 prevent masquerade attacks through OAuth providers and fixes crash on OAuth errors, which was a security concern.", - "cve": null, + "cve": "PVE-2021-37061", "id": "pyup.io-37061", "specs": [ "<1.9.0" @@ -6706,7 +8544,7 @@ }, { "advisory": "flask-appbuilder 1.9.2 fixes possible SQL injection vulnerability", - "cve": null, + "cve": "PVE-2021-37297", "id": "pyup.io-37297", "specs": [ "<1.9.2" @@ -6715,7 +8553,7 @@ }, { "advisory": "Flask-appbuilder 1.9.3 fixes a possible SQL injection vulnerability on order by clauses.", - "cve": null, + "cve": "PVE-2021-38900", "id": "pyup.io-38900", "specs": [ "<1.9.3" @@ -6724,7 +8562,7 @@ }, { "advisory": "Flask-appbuilder 2.2.2 make userstatschartview optional (a security issue) (#1239).", - "cve": null, + "cve": "PVE-2021-37059", "id": "pyup.io-37059", "specs": [ "<2.2.2" @@ -6733,18 +8571,27 @@ }, { "advisory": "Flask-appbuilder 2.2.4 toggles pvm, perm and vm mvc views config options (a security issue) (#1259).", - "cve": null, + "cve": "PVE-2021-37130", "id": "pyup.io-37130", "specs": [ "<2.2.4" ], "v": "<2.2.4" + }, + { + "advisory": "Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.", + "cve": "CVE-2021-29621", + "id": "pyup.io-40630", + "specs": [ + "<=3.2.3" + ], + "v": "<=3.2.3" } ], "flask-async": [ { "advisory": "flask-async 0.6.1 fixes a security problem that allowed clients to download arbitrary files if the host server was a windows based operating system and the client uses backslashes to escape the directory the files where exposed from.", - "cve": null, + "cve": "PVE-2021-25822", "id": "pyup.io-25822", "specs": [ "<0.6.1" @@ -6752,6 +8599,17 @@ "v": "<0.6.1" } ], + "flask-caching": [ + { + "advisory": "The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.", + "cve": "CVE-2021-33026", + "id": "pyup.io-40459", + "specs": [ + "<=1.10.1" + ], + "v": "<=1.10.1" + } + ], "flask-cors": [ { "advisory": "An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. See CVE-2020-25032.", @@ -6766,7 +8624,7 @@ "flask-exceptions": [ { "advisory": "flask-exceptions 1.2.2 update is for security vulnerabilities", - "cve": null, + "cve": "PVE-2021-36812", "id": "pyup.io-36812", "specs": [ "<1.2.2" @@ -6777,7 +8635,7 @@ "flask-flatpages": [ { "advisory": "Flask-flatpages 0.7.1 updates its dependencies to resolve some severe security alerts.", - "cve": null, + "cve": "PVE-2021-37077", "id": "pyup.io-37077", "specs": [ "<0.7.1" @@ -6788,7 +8646,7 @@ "flask-i18n": [ { "advisory": "flask-i18n 1.1.1 update is for security vulnerabilities", - "cve": null, + "cve": "PVE-2021-36814", "id": "pyup.io-36814", "specs": [ "<1.1.1" @@ -6799,7 +8657,7 @@ "flask-images": [ { "advisory": "flask-images 1.1.3 fixes 3 security bugs, each of which would allow for reading any image on disk.", - "cve": null, + "cve": "PVE-2021-25823", "id": "pyup.io-25823", "specs": [ "<1.1.3" @@ -6810,7 +8668,7 @@ "flask-ipban": [ { "advisory": "flask-ipban 0.2.2 fixes a yaml loading vulnerability.", - "cve": null, + "cve": "PVE-2021-36997", "id": "pyup.io-36997", "specs": [ "<0.2.2" @@ -6821,7 +8679,7 @@ "flask-logger": [ { "advisory": "flask-logger 1.0.3 updates dependencies for security issues in Flask.", - "cve": null, + "cve": "PVE-2021-36811", "id": "pyup.io-36811", "specs": [ "<1.0.3" @@ -6832,7 +8690,7 @@ "flask-micropub": [ { "advisory": "flask-micropub 0.2.2 fixes a vulnerability; re-discover the authorization_endpoint and token_endpoint at each stage in the flow. Prevents a buggy or malicious authorization_endpoint from giving you credentials for another user's domain name.", - "cve": null, + "cve": "PVE-2021-25824", "id": "pyup.io-25824", "specs": [ "<0.2.2" @@ -6843,7 +8701,7 @@ "flask-monitoring": [ { "advisory": "flask-monitoring 1.10.0 adds security for automatic endpoint-data retrieval", - "cve": null, + "cve": "PVE-2021-37847", "id": "pyup.io-37847", "specs": [ "<1.10.0" @@ -6854,7 +8712,7 @@ "flask-oauthlib": [ { "advisory": "flask-oauthlib before 0.9.1 improves on security. (Without further details).", - "cve": null, + "cve": "PVE-2021-25825", "id": "pyup.io-25825", "specs": [ "<0.9.1" @@ -6873,10 +8731,21 @@ "v": "<0.1.2" } ], + "flask-pyoidc": [ + { + "advisory": "Flask-pyoidc before 3.7.0 did not properly validate the ID token according to the OIDC specification. It also still depended on a pyoidc version that is now known to not be secure.", + "cve": "PVE-2021-39225", + "id": "pyup.io-39225", + "specs": [ + "<3.7.0" + ], + "v": "<3.7.0" + } + ], "flask-security-fork": [ { "advisory": "flask-security-fork before 1.8.1 fixes a security bug when validating a confirmation token, also checks if the email that the token was created with matches the user's current email.", - "cve": null, + "cve": "PVE-2021-25827", "id": "pyup.io-25827", "specs": [ "<1.8.1" @@ -6884,19 +8753,39 @@ "v": "<1.8.1" } ], - "flask-sieve": [ + "flask-security-too": [ { - "advisory": "Flask-sieve 1.0.4 fixes some vulnerabilities by updating the werkzeug package.", - "cve": null, - "id": "pyup.io-39139", + "advisory": "All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the 'autocorrect_location_header=False`.", + "cve": "CVE-2021-32618", + "id": "pyup.io-40493", "specs": [ - "<1.0.4" + ">0.0.1a1" ], - "v": "<1.0.4" + "v": ">0.0.1a1" + }, + { + "advisory": "The Python \"Flask-Security-Too\" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to \"0\" (seconds) which should make the token unusable. See CVE-2021-21241.", + "cve": "CVE-2021-21241", + "id": "pyup.io-39440", + "specs": [ + ">=3.3.0rc1,<3.4.5" + ], + "v": ">=3.3.0rc1,<3.4.5" + } + ], + "flask-sieve": [ + { + "advisory": "Flask-sieve 1.0.4 fixes some vulnerabilities by updating the werkzeug package.", + "cve": "PVE-2021-39139", + "id": "pyup.io-39139", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" }, { "advisory": "Flask-sieve 1.1.0 updates Pillow (PIL-fork) to fix security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37632", "id": "pyup.io-37632", "specs": [ "<1.1.0" @@ -6907,7 +8796,7 @@ "flask-socketio": [ { "advisory": "Flask-socketio 4.2.0 addresses potential websocket cross-origin attacks. See: .", - "cve": null, + "cve": "PVE-2021-37309", "id": "pyup.io-37309", "specs": [ "<4.2.0" @@ -6918,7 +8807,7 @@ "flask-statsdclient": [ { "advisory": "flask-statsdclient 2.0.2 is for security vulnerabilities", - "cve": null, + "cve": "PVE-2021-36813", "id": "pyup.io-36813", "specs": [ "<2.0.2" @@ -6926,10 +8815,52 @@ "v": "<2.0.2" } ], + "flask-unchained": [ + { + "advisory": "Flask-unchained 0.9.0 includes a security fix in salt configuration for the 'itsdangerous' 2.0+ and a security fix for redirect vulnerability.", + "cve": "PVE-2021-40628", + "id": "pyup.io-40628", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + }, + { + "advisory": "This affects the package Flask-Unchained before 0.9.0. When using the the _validate_redirect_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\\\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False.", + "cve": "CVE-2021-23393", + "id": "pyup.io-40657", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "flask-user": [ + { + "advisory": "This affects all versions of package Flask-User. When using the make_safe_url function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as /////evil.com/path or \\\\\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False.", + "cve": "CVE-2021-23401", + "id": "pyup.io-40904", + "specs": [ + "<=1.0.2.2" + ], + "v": "<=1.0.2.2" + } + ], + "flatplan": [ + { + "advisory": "Flatplan 1.2.0 updates its dependencies to fix vulnerability issues.", + "cve": "PVE-2021-40345", + "id": "pyup.io-40345", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + } + ], "flex": [ { "advisory": "flex before 6.12.0 uses the unsafe `yaml.load` function to load YAML files, leading to an attack vector that allows remote code execution.", - "cve": null, + "cve": "PVE-2021-35155", "id": "pyup.io-35155", "specs": [ "<6.12.0" @@ -6937,10 +8868,77 @@ "v": "<6.12.0" } ], + "flora-blockchain": [ + { + "advisory": "Flora-blockchain 1.0b10 includes fixes for various Node.js security vulnerabilities.", + "cve": "PVE-2021-40983", + "id": "pyup.io-40983", + "specs": [ + "<1.0b10" + ], + "v": "<1.0b10" + }, + { + "advisory": "Flora-blockchain 1.0b8 removes the ability to pass in 'sk_seed' to plotting, to increase security.", + "cve": "PVE-2021-40985", + "id": "pyup.io-40985", + "specs": [ + "<1.0b8" + ], + "v": "<1.0b8" + }, + { + "advisory": "Flora-blockchain 1.0b9 starts to use the 'libsodium' dependency for additional security for Windows BLS Signature library and updates Node.js dependencies to fix security vulnerabilities.", + "cve": "PVE-2021-40984", + "id": "pyup.io-40984", + "specs": [ + "<1.0b9" + ], + "v": "<1.0b9" + }, + { + "advisory": "Flora-blockchain 1.0rc5 updates the 'aiohttp' underlying library to 3.7.4 to address a low severity issue.", + "cve": "PVE-2021-40980", + "id": "pyup.io-40980", + "specs": [ + "<1.0rc5" + ], + "v": "<1.0rc5" + }, + { + "advisory": "Flora-blockchain 1.0rc6 takes secret words a prompt on the command line or stdin instead of command line arguments for better security for 'chia keys add' command. This version also adds rate limiting for full node. Limitation can and will lead to short term bans of certain peers that didn't behave in expected ways. This is ok and normal, but strong defense against many DDOS attacks.", + "cve": "PVE-2021-40979", + "id": "pyup.io-40979", + "specs": [ + "<1.0rc6" + ], + "v": "<1.0rc6" + }, + { + "advisory": "Flora-blockchain 1.1.3 includes a fix to mitigate 1-3 mojo dust attacks.", + "cve": "PVE-2021-40978", + "id": "pyup.io-40978", + "specs": [ + "<1.1.3" + ], + "v": "<1.1.3" + } + ], + "fnapy": [ + { + "advisory": "Fnapy 1.1.7 prevents possible vulnerabilities due to requests <=2.19.1. See CVE-2018-18074.", + "cve": "CVE-2018-18074", + "id": "pyup.io-39418", + "specs": [ + "<1.1.7" + ], + "v": "<1.1.7" + } + ], "foolscap": [ { "advisory": "In foolscap before 0.7.0 the \"flappserver\" feature was found to have a vulnerability in the service-lookup code which, when combined with an attacker who has the ability to write files to a location where the flappserver process could read them, would allow that attacker to obtain control of the flappserver process.\r\n\r\nUsers who run flappservers should upgrade to 0.7.0, where this was fixed as part of 226.", - "cve": null, + "cve": "PVE-2021-25828", "id": "pyup.io-25828", "specs": [ "<0.7.0" @@ -6951,7 +8949,7 @@ "form-designer": [ { "advisory": "form-designer 0.8 fixes an XSS vulnerability in the administration panel.", - "cve": null, + "cve": "PVE-2021-34711", "id": "pyup.io-34711", "specs": [ "<0.8" @@ -6962,7 +8960,7 @@ "formbar": [ { "advisory": "formbar 0.9 fixes a potential code injection issue by removing the rule parsing out of formbar and use brabbel library for rule parsing and evaluation.", - "cve": null, + "cve": "PVE-2021-25829", "id": "pyup.io-25829", "specs": [ "<0.9" @@ -6995,7 +8993,7 @@ "fresco": [ { "advisory": "In fresco after 0.5.5 user supplied data is no longer reflected in error messages raised from ``fresco.routeargs.RequestArg``. This fixes a potential XSS vulnerability affecting versions starting from 0.5.0.", - "cve": null, + "cve": "PVE-2021-35028", "id": "pyup.io-35028", "specs": [ ">=0.5.0,<0.5.5" @@ -7006,7 +9004,7 @@ "friendlyshell": [ { "advisory": "friendlyshell 1.0.3 fixes security warnings, and bugs with parsing quoted command parameters.", - "cve": null, + "cve": "PVE-2021-36642", "id": "pyup.io-36642", "specs": [ "<1.0.3" @@ -7017,7 +9015,7 @@ "ftw-dashboard-portlets-postit": [ { "advisory": "ftw-dashboard-portlets-postit 1.3.4 fixes a security error, it was possible to add postit comment on a foreign dashboard if the userid an portlet id was known.", - "cve": null, + "cve": "PVE-2021-35933", "id": "pyup.io-35933", "specs": [ "<1.3.4" @@ -7028,7 +9026,7 @@ "ftw.dashboard.dragndrop": [ { "advisory": "ftw.dashboard.dragndrop 1.5.1 includes several undisclosed security fixes.", - "cve": null, + "cve": "PVE-2021-25831", "id": "pyup.io-25831", "specs": [ "<1.5.1" @@ -7039,7 +9037,7 @@ "ftw.dashboard.portlets.postit": [ { "advisory": "ftw.dashboard.portlets.postit 1.3.4 fixes a security error, it was possible to add postit comment on a foreign dashboard if the userid an portlet id was known.", - "cve": null, + "cve": "PVE-2021-25832", "id": "pyup.io-25832", "specs": [ "<1.3.4" @@ -7050,7 +9048,7 @@ "ftw.lawgiver": [ { "advisory": "Ftw.lawgiver 1.16.1 fixes the workflow security.", - "cve": null, + "cve": "PVE-2021-37470", "id": "pyup.io-37470", "specs": [ "<1.16.1" @@ -7061,7 +9059,7 @@ "ftw.mail": [ { "advisory": "ftw.mail 2.2.3 makes mail view XSS-save using the safe-html transform for the mail-body display.", - "cve": null, + "cve": "PVE-2021-25833", "id": "pyup.io-25833", "specs": [ "<2.2.3" @@ -7072,7 +9070,7 @@ "ftw.meeting": [ { "advisory": "ftw.meeting before 1.4.1 isn't using safe-html-transform for textfields.", - "cve": null, + "cve": "PVE-2021-25834", "id": "pyup.io-25834", "specs": [ "<1.4.1" @@ -7083,7 +9081,7 @@ "ftw.permissionmanager": [ { "advisory": "ftw.permissionmanager before 2.2.2 allowed users with view permission to access the advanced security features. Since it's possible to search for all users, which exposes all usernames and email addresses to anyone with view permission.", - "cve": null, + "cve": "PVE-2021-25835", "id": "pyup.io-25835", "specs": [ "<2.2.2" @@ -7091,10 +9089,21 @@ "v": "<2.2.2" } ], + "funcx": [ + { + "advisory": "Funcx 0.2.0 overhauls the security architecture.", + "cve": "PVE-2021-40175", + "id": "pyup.io-40175", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], "fundnsf": [ { "advisory": "fundnsf 0.0.32 updates requests 2.20.0 for security", - "cve": null, + "cve": "PVE-2021-36598", "id": "pyup.io-36598", "specs": [ "<0.0.32" @@ -7105,7 +9114,7 @@ "futoin-cid": [ { "advisory": "futoin-cid before 0.8.5 does not properly check components loading from the root directory when using os.path.join().", - "cve": null, + "cve": "PVE-2021-35184", "id": "pyup.io-35184", "specs": [ "<0.8.5" @@ -7113,10 +9122,21 @@ "v": "<0.8.5" } ], + "galaxy-importer": [ + { + "advisory": "Galaxy-importer 0.2.15 updates the 'bleach' dependency to 3.3.0 to fix 'XSS mutation' CVE (https://issues.redhat.com/browse/AAH-327).", + "cve": "PVE-2021-40174", + "id": "pyup.io-40174", + "specs": [ + "<0.2.15" + ], + "v": "<0.2.15" + } + ], "gandi.cli": [ { "advisory": "gandi.cli 0.10 includes two security related fixes: \r\n\r\n- validate server certificate using request as\r\n xmlrpc transport.\r\n- Security: restrict configuration file rights to owner only.", - "cve": null, + "cve": "PVE-2021-25836", "id": "pyup.io-25836", "specs": [ "<0.10" @@ -7127,7 +9147,7 @@ "gdal": [ { "advisory": "Gdal 3.1.0 includes multiple security-related fixes. No details are given.", - "cve": null, + "cve": "PVE-2021-38264", "id": "pyup.io-38264", "specs": [ "<3.1.0" @@ -7135,20 +9155,42 @@ "v": "<3.1.0" } ], + "gds-django-jet": [ + { + "advisory": "Gds-django-jet 1.0.4 fixes an security issue with accessing 'model_lookup_view' (when using 'RelatedFieldAjaxListFilter') without permissions.", + "cve": "PVE-2021-40668", + "id": "pyup.io-40668", + "specs": [ + "<1.0.4" + ], + "v": "<1.0.4" + } + ], + "genbadge": [ + { + "advisory": "Genbadge 1.0.0 starts to use 'defusedxml' to fix a known vulnerability. See: .", + "cve": "PVE-2021-40496", + "id": "pyup.io-40496", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + } + ], "genshi": [ { - "advisory": "genshi 0.6.1 includes a security fix to enhance sanitizing of CSS in style attributes. Genshi's `HTMLSanitizer` disallows style attributes by default (this remains unchanged) and warns against such attacks in its documentation, but the provided CSS santizing is now less lacking (see GitHub issue 455).", - "cve": null, - "id": "pyup.io-34688", + "advisory": "genshi 0.6.1 updates the HTML sanitizer to strip any CSS comments in style attributes, which could previously be used to hide malicious property values. This security fix to enhances sanitizing of CSS in style attributes. Genshi's `HTMLSanitizer` disallows style attributes by default (this remains unchanged) and warns against such attacks in its documentation.", + "cve": "PVE-2021-39055", + "id": "pyup.io-39055", "specs": [ "<0.6.1" ], "v": "<0.6.1" }, { - "advisory": "genshi 0.6.1 updates the HTML sanitizer to strip any CSS comments in style attributes, which could previously be used to hide malicious property values. This security fix to enhances sanitizing of CSS in style attributes. Genshi's `HTMLSanitizer` disallows style attributes by default (this remains unchanged) and warns against such attacks in its documentation.", - "cve": null, - "id": "pyup.io-39055", + "advisory": "genshi 0.6.1 includes a security fix to enhance sanitizing of CSS in style attributes. Genshi's `HTMLSanitizer` disallows style attributes by default (this remains unchanged) and warns against such attacks in its documentation, but the provided CSS santizing is now less lacking (see GitHub issue 455).", + "cve": "PVE-2021-34688", + "id": "pyup.io-34688", "specs": [ "<0.6.1" ], @@ -7158,7 +9200,7 @@ "geojson-client": [ { "advisory": "Geojson-client 0.4 fetches NSW Rural Fire Service feed securely via HTTPS.", - "cve": null, + "cve": "PVE-2021-38898", "id": "pyup.io-38898", "specs": [ "<0.4" @@ -7169,7 +9211,7 @@ "geokey": [ { "advisory": "Geokey 1.11.2 upgrades the REST framework (+GIS) dependencies in order to resolve reported vulnerability issue.", - "cve": null, + "cve": "PVE-2021-37207", "id": "pyup.io-37207", "specs": [ "<1.11.2" @@ -7178,7 +9220,7 @@ }, { "advisory": "Geokey 1.3.1 includes a not further specified security update.", - "cve": null, + "cve": "PVE-2021-35080", "id": "pyup.io-35080", "specs": [ "<1.3.1" @@ -7189,7 +9231,7 @@ "geonode": [ { "advisory": "Geonode 2.10.30 updates django from 1.11.21 to 1.11.22, updates twisted from 18.9.0 to 19.2.1, and updates urllib3 to 1.24.2. \r\n\r\nIt also removes not useful and potentially blocking calls from signals and login/out calls, and also enforces GeoNode REST service API security.\r\n\r\nLastly, it addresses security vulnerabilities in the PyYAML dependency and includes some general security and encoding updates.", - "cve": null, + "cve": "PVE-2021-37877", "id": "pyup.io-37877", "specs": [ "<2.10.3" @@ -7198,7 +9240,7 @@ }, { "advisory": "Geonode 2.8.1 fix a JavaScript vulnerability and also fixes a vulnerability with the Pillow dependency.", - "cve": null, + "cve": "PVE-2021-38558", "id": "pyup.io-38558", "specs": [ "<2.8.1" @@ -7206,21 +9248,32 @@ "v": "<2.8.1" } ], + "geonode-oauth-toolkit": [ + { + "advisory": "Geonode-oauth-toolkit 0.8.0 fixes vulnerabilities on Basic authentication.", + "cve": "PVE-2021-40423", + "id": "pyup.io-40423", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + } + ], "gerapy": [ { - "advisory": "CVE-2020-7698 affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn\u2019t being sanitized.", + "advisory": "This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn\u2019t being sanitized. See: CVE-2020-7698.", "cve": "CVE-2020-7698", "id": "pyup.io-38636", "specs": [ - ">=0,<0.9.3" + "<0.9.3" ], - "v": ">=0,<0.9.3" + "v": "<0.9.3" } ], "getmail": [ { "advisory": "Versions of getmail prior to 4.2.0 and 3.2.5 contain a security vulnerability. A local attacker with a shell account could exploit a race condition (or a similar symlink attack) to cause getmail to create or overwrite files in a directory of the local user's choosing if the system administrator ran getmail as root and delivered messages to a maildir or mbox file under the control of the attacker, resulting in a local root exploit. (This vulnerability is not exploitable if the administrator does not deliver mail to the maildirs/mbox files of untrusted local users, or if getmail is configured to use an external unprivileged MDA. Also, this vulnerability is not remotely exploitable.)", - "cve": null, + "cve": "PVE-2021-38862", "id": "pyup.io-38862", "specs": [ "<3.2.5", @@ -7232,7 +9285,7 @@ "gevent": [ { "advisory": "gevent 1.2a1 includes a security related fix. Errors logged by :class:`~gevent.pywsgi.WSGIHandler` no longer print the entire WSGI environment by default. This avoids possible information disclosure vulnerabilities. Applications can also opt-in to a higher security level for the WSGI environment if they choose and their frameworks support it. Originally reported in :pr:`779` by sean-peters-au and changed in :pr:`781`.", - "cve": null, + "cve": "PVE-2021-25837", "id": "pyup.io-25837", "specs": [ "<1.2a1" @@ -7243,7 +9296,7 @@ "geventhttpclient": [ { "advisory": "geventhttpclient 1.2.0 includes an undisclosed security fix related to SSL support.", - "cve": null, + "cve": "PVE-2021-25838", "id": "pyup.io-25838", "specs": [ "<1.2.0" @@ -7251,10 +9304,30 @@ "v": "<1.2.0" } ], + "gino-quart": [ + { + "advisory": "Gino-quart 0.1.1b2 updates 'cryptography' dependency to fix a security issue.", + "cve": "PVE-2021-39623", + "id": "pyup.io-39623", + "specs": [ + "<0.1.1b2" + ], + "v": "<0.1.1b2" + }, + { + "advisory": "Gino-quart bumps jinja2 from version 2.11.2 to 2.11.3 to improve its security.", + "cve": "PVE-2021-40058", + "id": "pyup.io-40058", + "specs": [ + "<0.1.1b4" + ], + "v": "<0.1.1b4" + } + ], "giosgapps-bindings": [ { "advisory": "Giosgapps-bindings 0.0.19 updates Django to get rid of security warnings.", - "cve": null, + "cve": "PVE-2021-37906", "id": "pyup.io-37906", "specs": [ "<0.0.19" @@ -7265,7 +9338,7 @@ "girder": [ { "advisory": "girder 2.2.0 fixes an XSS vulnerability in girders human-readable web API output. This vulnerability was not present in girders normal web client, so users of the Girder web client would not have been affected.", - "cve": null, + "cve": "PVE-2021-34634", "id": "pyup.io-34634", "specs": [ "<2.2.0" @@ -7274,7 +9347,7 @@ }, { "advisory": "In girder 2.5.0 the default Girder server now binds to localhost by default instead of 0.0.0.0.", - "cve": null, + "cve": "PVE-2021-35831", "id": "pyup.io-35831", "specs": [ "<2.5.0" @@ -7282,10 +9355,21 @@ "v": "<2.5.0" } ], + "git-portfolio": [ + { + "advisory": "Git-portfolio 0.10.1 includes various security patches.", + "cve": "PVE-2021-39510", + "id": "pyup.io-39510", + "specs": [ + "<0.10.1" + ], + "v": "<0.10.1" + } + ], "gitlab-languages": [ { "advisory": "gitlab-languages 1.4.1 updates dependencies, because of a security vulnerability in request `<2.20.0`", - "cve": null, + "cve": "PVE-2021-36639", "id": "pyup.io-36639", "specs": [ "<1.4.1" @@ -7293,10 +9377,41 @@ "v": "<1.4.1" } ], + "gitlabform": [ + { + "advisory": "Gitlabform 2.0.5 fixes potential security issue by enabling autoescaping when loading the 'Jinja' templates.", + "cve": "PVE-2021-40639", + "id": "pyup.io-40639", + "specs": [ + "<2.0.5" + ], + "v": "<2.0.5" + } + ], + "glances": [ + { + "advisory": "Glances 3.2.0 updates Web UI for a security vulnerability.", + "cve": "PVE-2021-40900", + "id": "pyup.io-40900", + "specs": [ + "<3.2.0" + ], + "v": "<3.2.0" + }, + { + "advisory": "The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.", + "cve": "CVE-2021-23418", + "id": "pyup.io-41042", + "specs": [ + "<3.2.1" + ], + "v": "<3.2.1" + } + ], "glovo-api-python": [ { "advisory": "Glovo-api-python 2.0.0 updates its dependencies to remove the insecure ones.", - "cve": null, + "cve": "PVE-2021-38427", "id": "pyup.io-38427", "specs": [ "<2.0.0" @@ -7307,7 +9422,7 @@ "gns3-gui": [ { "advisory": "gns3-gui 1.5.1 fixes a security related bug to prevent client to send empty hostname.", - "cve": null, + "cve": "PVE-2021-25839", "id": "pyup.io-25839", "specs": [ "<1.5.1" @@ -7326,18 +9441,18 @@ "v": "<0.3.5" }, { - "advisory": "The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"$(\" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.", - "cve": "CVE-2014-1927", - "id": "pyup.io-35533", + "advisory": "The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"\\\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.", + "cve": "CVE-2014-1928", + "id": "pyup.io-35534", "specs": [ "==0.3.5" ], "v": "==0.3.5" }, { - "advisory": "The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"\\\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.", - "cve": "CVE-2014-1928", - "id": "pyup.io-35534", + "advisory": "The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"$(\" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.", + "cve": "CVE-2014-1927", + "id": "pyup.io-35533", "specs": [ "==0.3.5" ], @@ -7354,10 +9469,21 @@ "v": "==0.3.5,==0.3.6" } ], + "gocept.month": [ + { + "advisory": "Gocept.month 2.2 adds a missing security declaration needed for the '.browser.widget.MonthWidget', the month widget for 'z3c.form'.", + "cve": "PVE-2021-40231", + "id": "pyup.io-40231", + "specs": [ + "<2.2" + ], + "v": "<2.2" + } + ], "goharbor": [ { "advisory": "goharbor 1.1.0 fixes some security issues in token service.", - "cve": null, + "cve": "PVE-2021-36776", "id": "pyup.io-36776", "specs": [ "<1.1.0" @@ -7385,27 +9511,38 @@ "v": "<1.5.4" }, { - "advisory": "The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent os.popen calls, which allows local users to bypass intended access restrictions and execute arbitrary commands via a dev_appserver.RestrictedPathFunction._original_os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.", - "cve": "CVE-2011-4212", - "id": "pyup.io-33130", + "advisory": "The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.", + "cve": "CVE-2011-4213", + "id": "pyup.io-33131", "specs": [ "<1.5.4" ], "v": "<1.5.4" }, { - "advisory": "The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.", - "cve": "CVE-2011-4213", - "id": "pyup.io-33131", + "advisory": "The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent os.popen calls, which allows local users to bypass intended access restrictions and execute arbitrary commands via a dev_appserver.RestrictedPathFunction._original_os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.", + "cve": "CVE-2011-4212", + "id": "pyup.io-33130", "specs": [ "<1.5.4" ], "v": "<1.5.4" } ], + "google-images-search": [ + { + "advisory": "Google-images-search 1.3.8 updates Pillow to version 8.1.1 to address a vulnerability.", + "cve": "PVE-2021-40043", + "id": "pyup.io-40043", + "specs": [ + "<1.3.8" + ], + "v": "<1.3.8" + } + ], "gordo-components": [ { - "advisory": "Gordo-components 0.15.1 updates the dependency urllib3 >= 1.24.2 to address urllib3 security alert - see https://nvd.nist.gov/vuln/detail/CVE-2019-11324", + "advisory": "Gordo-components 0.15.1 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-37545", "specs": [ @@ -7417,7 +9554,7 @@ "gphotos-sync": [ { "advisory": "gphotos-sync 2.9 update dependencies for security patches", - "cve": null, + "cve": "PVE-2021-37829", "id": "pyup.io-37829", "specs": [ "<2.9" @@ -7428,7 +9565,7 @@ "gpmf": [ { "advisory": "Gpmf 1.2.2 addresses OOB attacks.", - "cve": null, + "cve": "PVE-2021-38566", "id": "pyup.io-38566", "specs": [ "<1.2.2" @@ -7439,7 +9576,7 @@ "grafana-dashboard-builder": [ { "advisory": "Grafana-dashboard-builder 0.6.0a1 fixes a pyyaml security issue.", - "cve": null, + "cve": "PVE-2021-38648", "id": "pyup.io-38648", "specs": [ "<0.6.0a1" @@ -7447,10 +9584,21 @@ "v": "<0.6.0a1" } ], + "graphite-web": [ + { + "advisory": "Graphite-web 1.1.8 prevents cross-site scripting.", + "cve": "PVE-2021-40227", + "id": "pyup.io-40227", + "specs": [ + "<1.1.8" + ], + "v": "<1.1.8" + } + ], "graphrepo": [ { "advisory": "Graphrepo 0.1.8 updates some dependencies in order to avoid security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38421", "id": "pyup.io-38421", "specs": [ "<0.1.8" @@ -7461,7 +9609,7 @@ "graphtransliterator": [ { "advisory": "Graphtransliterator 1.1.2 includes security updates. No details were given.", - "cve": null, + "cve": "PVE-2021-38234", "id": "pyup.io-38234", "specs": [ "<1.1.2" @@ -7472,7 +9620,7 @@ "great-components": [ { "advisory": "great-components 25.0.1 updates lodash vulnerability", - "cve": null, + "cve": "PVE-2021-37925", "id": "pyup.io-37925", "specs": [ "<25.0.1" @@ -7483,7 +9631,7 @@ "guillotina": [ { "advisory": "guillotina 4.5.8 fixes memory leak in security policy lookups", - "cve": null, + "cve": "PVE-2021-36961", "id": "pyup.io-36961", "specs": [ "<4.5.8" @@ -7492,18 +9640,68 @@ }, { "advisory": "Guillotina 6.0.0b3 fixes a security policy not taking into account IInheritPermissionMap for principals.", - "cve": null, + "cve": "PVE-2021-38203", "id": "pyup.io-38203", "specs": [ "<6.0.0b3" ], "v": "<6.0.0b3" + }, + { + "advisory": "Guillotina 6.2.3 improves security checking for the search in PostgreSQL catalog.", + "cve": "PVE-2021-40178", + "id": "pyup.io-40178", + "specs": [ + "<6.2.3" + ], + "v": "<6.2.3" + } + ], + "guillotina-dynamictablestorage": [ + { + "advisory": "guillotina-dynamictablestorage 1.1.0 fixes a possible sql injection.", + "cve": "PVE-2021-40218", + "id": "pyup.io-40218", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "gunicorn": [ + { + "advisory": "Gunicorn 19.10.0 includes a security fix to prevent HTTP desync attack.", + "cve": "PVE-2021-40105", + "id": "pyup.io-40105", + "specs": [ + "<19.10.0" + ], + "v": "<19.10.0" + }, + { + "advisory": "Gunicorn 20.0.1 fixes chunked encoding support to prevent any request smuggling for security purposes.", + "cve": "PVE-2021-40104", + "id": "pyup.io-40104", + "specs": [ + "<19.10.0", + ">=20.0.0,<20.0.1" + ], + "v": "<19.10.0,>=20.0.0,<20.0.1" + }, + { + "advisory": "Gunicorn 19.4.0 includes a security fix to raise 'InvalidRequestLine' exception when the line contains malicious data.", + "cve": "PVE-2021-40103", + "id": "pyup.io-40103", + "specs": [ + "<19.4.0" + ], + "v": "<19.4.0" } ], "gvar": [ { "advisory": "Gvar 9.2.1 fixes bugs in gvar.load and gvar.dump caused by recent security upgrades to pyYAML.", - "cve": null, + "cve": "PVE-2021-37809", "id": "pyup.io-37809", "specs": [ "<9.2.1" @@ -7511,10 +9709,52 @@ "v": "<9.2.1" } ], + "handprint": [ + { + "advisory": "Handprint 1.5.0 updates the underlying 'urllib3' library to fix a security warning.", + "cve": "PVE-2021-40823", + "id": "pyup.io-40823", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" + } + ], + "hardline": [ + { + "advisory": "Hardline 0.12 contains privacy enchantments for hashID domain names.", + "cve": "PVE-2021-39435", + "id": "pyup.io-39435", + "specs": [ + "<0.12" + ], + "v": "<0.12" + }, + { + "advisory": "Hardline 0.13 uses rolling-code to slightly deter certain fingerprinting attacks on networks with strong client isolation.", + "cve": "PVE-2021-40590", + "id": "pyup.io-40590", + "specs": [ + "<0.13" + ], + "v": "<0.13" + } + ], + "hashers": [ + { + "advisory": "Hashers 0.2.11 adds protection against time-attacks on string comparisons.", + "cve": "PVE-2021-39643", + "id": "pyup.io-39643", + "specs": [ + "<0.2.11" + ], + "v": "<0.2.11" + } + ], "heedy": [ { "advisory": "Heedy 0.3.0a1 reports it its changelog: There might [...] be security issues. Use at your own risk.", - "cve": null, + "cve": "PVE-2021-37687", "id": "pyup.io-37687", "specs": [ "<0.3.0a1" @@ -7525,7 +9765,7 @@ "henosis": [ { "advisory": "henosis before 0.0.11 included a vulnerability that was opened by using `yaml.load` as opposed to `yaml.safe_load` ([issue 22](https://github.com/vc1492a/henosis/issues/22)).", - "cve": null, + "cve": "PVE-2021-36303", "id": "pyup.io-36303", "specs": [ "<0.0.11" @@ -7536,7 +9776,7 @@ "hhpy": [ { "advisory": "Hhpy 0.1.8 includes an upgrade of bleach for security reasons.", - "cve": null, + "cve": "PVE-2021-38480", "id": "pyup.io-38480", "specs": [ "<0.1.8" @@ -7544,10 +9784,21 @@ "v": "<0.1.8" } ], + "hivemind": [ + { + "advisory": "Hivemind 0.9.5 includes fixes for several known bugs and security vulnerabilities.", + "cve": "PVE-2021-40150", + "id": "pyup.io-40150", + "specs": [ + "<0.9.5" + ], + "v": "<0.9.5" + } + ], "holocron": [ { "advisory": "holocron 0.2.0 fixed a security issue when content author may steal private data through content's meta header.", - "cve": null, + "cve": "PVE-2021-25844", "id": "pyup.io-25844", "specs": [ "<0.2.0" @@ -7558,7 +9809,7 @@ "homeassistant": [ { "advisory": "homeassistant before 0.37 uses a weak random number generator to create access tokens for camera feeds which could be brute force attacked in 2.5 weeks", - "cve": null, + "cve": "PVE-2021-34222", "id": "pyup.io-34222", "specs": [ "<0.37" @@ -7567,7 +9818,7 @@ }, { "advisory": "homeassistant before 0.73.2 and >=0.56 is vulnerable to a man in the middle attack since SSL verification was disabled for **outgoing** requests that were done using the shared aiohttp session.", - "cve": null, + "cve": "PVE-2021-36326", "id": "pyup.io-36326", "specs": [ ">=0.56,<0.73.2" @@ -7576,7 +9827,7 @@ }, { "advisory": "The markdown renderer in homeassistant 0.98 is vulnerable to an XSS attack if exposed to specially crafted markdown. This was fixed in 0.98.5. See: .", - "cve": null, + "cve": "PVE-2021-37453", "id": "pyup.io-37453", "specs": [ ">=0.98,<0.98.5" @@ -7584,10 +9835,23 @@ "v": ">=0.98,<0.98.5" } ], + "horizon": [ + { + "advisory": "An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the \"next\" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL. See CVE-2020-29565.", + "cve": "CVE-2020-29565", + "id": "pyup.io-39226", + "specs": [ + "<15.3.2", + ">=17.0,<18.3.3", + ">=16.0.0.0b1,<16.2.1" + ], + "v": "<15.3.2,>=17.0,<18.3.3,>=16.0.0.0b1,<16.2.1" + } + ], "hotaru": [ { "advisory": "Hotaru 3.2.4 updates tensorflow to >= 2.2.1. Tensorflow versions before 2.2.1 are known to be affected by several CVEs.", - "cve": null, + "cve": "PVE-2021-38822", "id": "pyup.io-38822", "specs": [ "<3.2.4" @@ -7595,7 +9859,18 @@ "v": "<3.2.4" } ], - "hpack": [ + "hover": [ + { + "advisory": "Hover 0.4.0 was released with the acknowledgement that it (and previous versions?) includes a potential security concern. In particular, it displays traceback information if something breaks in the scope of the recipe.", + "cve": "PVE-2021-39389", + "id": "pyup.io-39389", + "specs": [ + "<=0.4.0" + ], + "v": "<=0.4.0" + } + ], + "hpack": [ { "advisory": "A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.", "cve": "CVE-2016-6580", @@ -7627,18 +9902,27 @@ "hpim-dm": [ { "advisory": "hpim-dm 1.0 includes dissertation work and security implementation", - "cve": null, + "cve": "PVE-2021-37836", "id": "pyup.io-37836", "specs": [ "<1.0" ], "v": "<1.0" + }, + { + "advisory": "Hpim-dm 1.4 fixes security issues on IPv6 HPIM-DM interfaces.", + "cve": "PVE-2021-39387", + "id": "pyup.io-39387", + "specs": [ + "<1.4" + ], + "v": "<1.4" } ], "html5": [ { "advisory": "html5 before 0.99999999 is vulnerable to a XSS attack. Upgrading avoids the XSS bug potentially caused by serializer allowing attribute values to be escaped out of in old browser versions, changing the quote_attr_values option on serializer to take one of three values, \"always\" (the old True value), \"legacy\" (the new option, and the new default), and \"spec\" (the old False value, and the old default).", - "cve": null, + "cve": "PVE-2021-25845", "id": "pyup.io-25845", "specs": [ "<0.99999999" @@ -7648,18 +9932,18 @@ ], "html5lib": [ { - "advisory": "The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.", - "cve": "CVE-2016-9909", - "id": "pyup.io-35693", + "advisory": "The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909.", + "cve": "CVE-2016-9910", + "id": "pyup.io-35694", "specs": [ "<0.99999999" ], "v": "<0.99999999" }, { - "advisory": "The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909.", - "cve": "CVE-2016-9910", - "id": "pyup.io-35694", + "advisory": "The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.", + "cve": "CVE-2016-9909", + "id": "pyup.io-35693", "specs": [ "<0.99999999" ], @@ -7667,7 +9951,7 @@ }, { "advisory": "html5lib before 0.99999999 is vulnerable to a XSS attack. Upgrading avoids the XSS bug potentially caused by serializer allowing attribute values to be escaped out of in old browser versions, changing the quote_attr_values option on serializer to take one of three values, \"always\" (the old True value), \"legacy\" (the new option, and the new default), and \"spec\" (the old False value, and the old default).", - "cve": null, + "cve": "PVE-2021-25846", "id": "pyup.io-25846", "specs": [ "<0.99999999", @@ -7679,7 +9963,7 @@ "httpauth": [ { "advisory": "httpauth 0.2 fixes a security issue: Invalid username + empty password were being accepted.", - "cve": null, + "cve": "PVE-2021-25847", "id": "pyup.io-25847", "specs": [ "<0.2" @@ -7700,26 +9984,35 @@ ], "httplib2": [ { - "advisory": "Httplib2 0.18.0 is an important security update to patch a CWE-93 CRLF injection vulnerability which forces %xx quote of space, CR, LF characters in uri. See: .", - "cve": null, - "id": "pyup.io-38303", + "advisory": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. See CVE-2020-11078.", + "cve": "CVE-2020-11078", + "id": "pyup.io-38368", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, { - "advisory": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. See CVE-2020-11078.", - "cve": "CVE-2020-11078", - "id": "pyup.io-38368", + "advisory": "Httplib2 0.18.0 is an important security update to patch a CWE-93 CRLF injection vulnerability which forces %xx quote of space, CR, LF characters in uri. See: .", + "cve": "PVE-2021-38303", + "id": "pyup.io-38303", "specs": [ "<0.18.0" ], "v": "<0.18.0" }, + { + "advisory": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library. See CVE-2021-21240.", + "cve": "CVE-2021-21240", + "id": "pyup.io-39608", + "specs": [ + "<0.19.0" + ], + "v": "<0.19.0" + }, { "advisory": "httplib2 before and including 0.9.2 on \"SSL certificate hostname mismatch\" it is checked only once: https://github.com/httplib2/httplib2/issues/5", - "cve": null, + "cve": "PVE-2021-25848", "id": "pyup.io-25848", "specs": [ "<=0.9.2" @@ -7730,7 +10023,7 @@ "httprunner": [ { "advisory": "httprunner 2.0.5 fixes xss in response json", - "cve": null, + "cve": "PVE-2021-36945", "id": "pyup.io-36945", "specs": [ "<2.0.5" @@ -7739,7 +10032,7 @@ }, { "advisory": "httprunner 2.1.3 changes: replace eval mechanism with builtins to prevent security vulnerabilities", - "cve": null, + "cve": "PVE-2021-37216", "id": "pyup.io-37216", "specs": [ "<2.1.3" @@ -7750,7 +10043,7 @@ "httpsig": [ { "advisory": "httpsig 1.0.0 removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.", - "cve": null, + "cve": "PVE-2021-25849", "id": "pyup.io-25849", "specs": [ "<1.0.0" @@ -7761,7 +10054,7 @@ "httpsig-cffi": [ { "advisory": "httpsig-cffi 1.0.0 removed suport for reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.", - "cve": null, + "cve": "PVE-2021-25850", "id": "pyup.io-25850", "specs": [ "<1.0.0" @@ -7769,10 +10062,43 @@ "v": "<1.0.0" } ], + "httpx-gssapi": [ + { + "advisory": "Httpx-gssapi 0.6 includes a security patch for CVE-2014-8650.", + "cve": "CVE-2014-8650", + "id": "pyup.io-39509", + "specs": [ + "<0.6" + ], + "v": "<0.6" + } + ], + "hub": [ + { + "advisory": "Hub 0.9.0 upgrades urllib3 to urllib3[secure].", + "cve": "PVE-2021-39217", + "id": "pyup.io-39217", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "hubitatmaker": [ + { + "advisory": "Hubitatmaker 0.5.4 updates dependencies to fix some low-severity vulnerabilities.", + "cve": "PVE-2021-40101", + "id": "pyup.io-40101", + "specs": [ + "<0.5.4" + ], + "v": "<0.5.4" + } + ], "hug": [ { "advisory": "hug 2.3.0 fixes a vulnerability in the static file router that allows files in parent directory to be accessed.", - "cve": null, + "cve": "PVE-2021-34472", "id": "pyup.io-34472", "specs": [ "<2.3.0" @@ -7783,7 +10109,7 @@ "humblesetuptools": [ { "advisory": "humblesetuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.", - "cve": null, + "cve": "PVE-2021-25851", "id": "pyup.io-25851", "specs": [ "<0.9.5" @@ -7792,7 +10118,7 @@ }, { "advisory": "humblesetuptools 1.3 adresses a security vulnerability in SSL match_hostname check as reported in Python #17997.", - "cve": null, + "cve": "PVE-2021-25852", "id": "pyup.io-25852", "specs": [ "<1.3" @@ -7800,10 +10126,21 @@ "v": "<1.3" } ], + "hxl-proxy": [ + { + "advisory": "Hxl-proxy 1.22 updates to libhxl=4.22 for security reasons.", + "cve": "PVE-2021-40296", + "id": "pyup.io-40296", + "specs": [ + "<1.22" + ], + "v": "<1.22" + } + ], "hydroshare": [ { "advisory": "hydroshare before 1.9.5 has multiple - undisclosed - security issues.", - "cve": null, + "cve": "PVE-2021-34264", "id": "pyup.io-34264", "specs": [ "<1.9.5" @@ -7812,7 +10149,7 @@ }, { "advisory": "hydroshare before 1.9.6 has multiple - undisclosed - security issues.", - "cve": null, + "cve": "PVE-2021-34265", "id": "pyup.io-34265", "specs": [ "<1.9.6" @@ -7831,10 +10168,21 @@ "v": "<0.6.1" } ], + "hypothesis": [ + { + "advisory": "Hypothesis 3.69.8 moves away from using pickle module and replaces it with json to prevent possible security issues.", + "cve": "PVE-2021-39447", + "id": "pyup.io-39447", + "specs": [ + "<3.69.8" + ], + "v": "<3.69.8" + } + ], "ib-client": [ { "advisory": "Ib-client 0.1.2 updates packages (especially Jinja2 which had a vulnerability in version 2.10).", - "cve": null, + "cve": "PVE-2021-37047", "id": "pyup.io-37047", "specs": [ "<0.1.2" @@ -7842,10 +10190,21 @@ "v": "<0.1.2" } ], + "idchecker": [ + { + "advisory": "Idchecker 1.1.1 was re-created for security reasons.", + "cve": "PVE-2021-40134", + "id": "pyup.io-40134", + "specs": [ + "<1.1.1" + ], + "v": "<1.1.1" + } + ], "im": [ { "advisory": "im 1.5.0 removes use of insecure Pickle data.", - "cve": null, + "cve": "PVE-2021-36819", "id": "pyup.io-36819", "specs": [ "<1.5.0" @@ -7856,7 +10215,7 @@ "imageio": [ { "advisory": "imageio 2.6.0 fixes a security vulnerability for Windows users that have dcmtk installed, and where an attacker can set the filename", - "cve": null, + "cve": "PVE-2021-37902", "id": "pyup.io-37902", "specs": [ "<2.6.0" @@ -7867,7 +10226,7 @@ "indico": [ { "advisory": "indico before 2.0.2 uses a insecure transitive dependency (bleach).", - "cve": null, + "cve": "PVE-2021-35802", "id": "pyup.io-35802", "specs": [ "<2.0.2" @@ -7876,16 +10235,52 @@ }, { "advisory": "Indico 2.2.8 updates Bleach to fix a regular expression denial of service vulnerability. It also updates Pillow to fix a buffer overflow vulnerability.", - "cve": null, + "cve": "PVE-2021-38163", "id": "pyup.io-38163", "specs": [ "<2.2.8" ], "v": "<2.2.8" }, + { + "advisory": "Indico 2.3.4 fixes some open redirects which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site. Also, the :data:`BASE_URL` is now always enforced and requests whose Host header does not match are rejected. This prevents malicious actors from tricking Indico into sending e.g. a password reset link to a user that points to a host controlled by the attacker instead of the actual Indico host.", + "cve": "PVE-2021-40431", + "id": "pyup.io-40431", + "specs": [ + "<2.3.4" + ], + "v": "<2.3.4" + }, + { + "advisory": "Indico 2.3.5 fixes XSS vulnerabilities in the category picker (via category titles), location widget (via room and venue names defined by an Indico administrator) and the \"Indico Weeks View\" timetable theme (via contribution/break titles defined by an event organizer).", + "cve": "PVE-2021-40430", + "id": "pyup.io-40430", + "specs": [ + "<2.3.5" + ], + "v": "<2.3.5" + }, + { + "advisory": "Indico 3.0 improves security for the 'OAuth' provider module.", + "cve": "PVE-2021-40429", + "id": "pyup.io-40429", + "specs": [ + "<3.0" + ], + "v": "<3.0" + }, + { + "advisory": "Indico 3.0rc1 re-implements the 'OAuth' provider module based on a more modern library ('authlib'). Support for the somewhat insecure *implicit flow* has been removed in favor of the code-with-PKCE flow. Tokens are now stored more securely as a hash instead of plaintext.", + "cve": "PVE-2021-40856", + "id": "pyup.io-40856", + "specs": [ + "<3.0rc1" + ], + "v": "<3.0rc1" + }, { "advisory": "Indico 2.0.3 no longer shows contribution information (metadata including title, speakers and a partial description) in the contribution list unless the user has access to a contribution.", - "cve": null, + "cve": "PVE-2021-37568", "id": "pyup.io-37568", "specs": [ ">=2.0.0,<2.0.3" @@ -7894,7 +10289,7 @@ }, { "advisory": "Indico 2.1.11 fixes more places where LaTeX input was not correctly sanitized. While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.", - "cve": null, + "cve": "PVE-2021-37570", "id": "pyup.io-37570", "specs": [ ">=2.1.0,<2.1.11" @@ -7912,7 +10307,7 @@ }, { "advisory": "Indico 2.2.3 and 2.1.10\r\n- Strip ``@``, ``+``, ``-`` and ``=`` from the beginning of strings when exporting CSV files to avoid security issues when opening the CSV file in Excel.\r\n- Use 027 instead of 000 umask when temporarily changing it to get the current umask.\r\n- Fix LaTeX sanitization to prevent malicious users from running unsafe LaTeX commands through specially crafted abstracts or contribution descriptions, which could lead to the disclosure of local file contents.", - "cve": null, + "cve": "PVE-2021-37567", "id": "pyup.io-37567", "specs": [ ">=2.2.0,<2.2.3", @@ -7922,7 +10317,7 @@ }, { "advisory": "Indico 2.2.4 fixes more places where LaTeX input was not correctly sanitized. While the biggest security impact (reading local files) has already been mitigated when fixing the initial vulnerability in the previous release, it is still strongly recommended to update.", - "cve": null, + "cve": "PVE-2021-37569", "id": "pyup.io-37569", "specs": [ ">=2.2.0,<2.2.4" @@ -7930,10 +10325,30 @@ "v": ">=2.2.0,<2.2.4" } ], + "influx-prompt": [ + { + "advisory": "Influx-prompt 1.0.1 includes a security fix to mitigate CVE-2021-27291.", + "cve": "CVE-2021-27291", + "id": "pyup.io-40135", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + }, + { + "advisory": "Influx-prompt 1.0.1 includes a security fix to mitigate CVE-2021-20270.", + "cve": "CVE-2021-20270", + "id": "pyup.io-40147", + "specs": [ + "<1.0.1" + ], + "v": "<1.0.1" + } + ], "infracheck": [ { "advisory": "Infracheck 1.7.rc2 adds a `ssh-fingerprint` check, which verifies if any remote host fingerprint matches. This helps detecting man-in-the-middle and server takeover attacks.", - "cve": null, + "cve": "PVE-2021-39200", "id": "pyup.io-39200", "specs": [ "<1.7.rc2" @@ -7944,7 +10359,7 @@ "insecure-package": [ { "advisory": "This is an insecure package with lots of exploitable security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-25853", "id": "pyup.io-25853", "specs": [ "<0.2.0" @@ -7955,7 +10370,7 @@ "inspetor": [ { "advisory": "Inspetor 2.3.1 updates `sprockets` in `Gemfile.lock` to fix security warnings.", - "cve": null, + "cve": "PVE-2021-37343", "id": "pyup.io-37343", "specs": [ "<2.3.1" @@ -7966,36 +10381,18 @@ "instana": [ { "advisory": "Instana 1.20.2 upgrades the `event-loop-lag` because of security vulnerabilities in its dependency tree.", - "cve": null, + "cve": "PVE-2021-34809", "id": "pyup.io-34809", "specs": [ "<1.20.2" ], "v": "<1.20.2" - }, - { - "advisory": "Instana 1.36.1 upgrades the `event-loop-lag` to address a security vulnerability. See: .", - "cve": null, - "id": "pyup.io-37188", - "specs": [ - "<1.36.1" - ], - "v": "<1.36.1" - }, - { - "advisory": "Instana 1.37.1 switches to `@risingstack/v8-profiler` due to security issues in the transitive dependencies of `v8-profiler`.", - "cve": null, - "id": "pyup.io-37187", - "specs": [ - "<1.37.1" - ], - "v": "<1.37.1" } ], "intelmq": [ { "advisory": "Intelmq through 2.1.1 is not secure. Its backend incorrectly handles messages given by user-input in the \"send\" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the web server.", - "cve": null, + "cve": "PVE-2021-38326", "id": "pyup.io-38326", "specs": [ "<=2.1.1" @@ -8006,7 +10403,7 @@ "interpret-community": [ { "advisory": "Interpret-community 0.12.1 upgrades websocket-extensions for security reasons.", - "cve": null, + "cve": "PVE-2021-38442", "id": "pyup.io-38442", "specs": [ "<0.12.1" @@ -8017,7 +10414,7 @@ "invenio": [ { "advisory": "Invenio 0.90.0 includes a new possibility of secure HTTPS authentication while keeping the rest of the site non-HTTPS (WebSession).", - "cve": null, + "cve": "PVE-2021-38733", "id": "pyup.io-38733", "specs": [ "<0.90.0" @@ -8026,7 +10423,7 @@ }, { "advisory": "Invenio 0.99.0 fixes an alert deletion tool vulnerability (WebAlert), it includes a new password reset mechanism using new secure mail cookies and temporary role membership facilities (WebAccess, WebSession), and it also includes a script that will update your local user table in order to use encrypted passwords for more security.", - "cve": null, + "cve": "PVE-2021-38734", "id": "pyup.io-38734", "specs": [ "<0.99.0" @@ -8035,7 +10432,7 @@ }, { "advisory": "invenio 1.0.2 includes fixes for several undisclosed XSS vulnerabilities.", - "cve": null, + "cve": "PVE-2021-25854", "id": "pyup.io-25854", "specs": [ "<1.0.2" @@ -8044,7 +10441,7 @@ }, { "advisory": "invenio 1.1.2 fixes a undisclosed XSS vulnerability.", - "cve": null, + "cve": "PVE-2021-25855", "id": "pyup.io-25855", "specs": [ "<1.1.2" @@ -8053,7 +10450,7 @@ }, { "advisory": "Invenio 2.0.5 disables debug mode when using standard Docker image. It uses Docker compose to set the variable instead.", - "cve": null, + "cve": "PVE-2021-38741", "id": "pyup.io-38741", "specs": [ "<2.0.5" @@ -8062,7 +10459,7 @@ }, { "advisory": "invenio 2.0.6 fixes potential XSS issues by changing main flash messages template so that they are not displayed as safe HTML by default.", - "cve": null, + "cve": "PVE-2021-38740", "id": "pyup.io-38740", "specs": [ ">=2.0.0,<2.0.6" @@ -8071,7 +10468,7 @@ }, { "advisory": "invenio 2.1.1 fixes potential XSS issues by changing main flash messages template so that they are not displayed as safe HTML by default.", - "cve": null, + "cve": "PVE-2021-38739", "id": "pyup.io-38739", "specs": [ ">=2.1.0,<2.1.1" @@ -8082,7 +10479,7 @@ "invenio-admin": [ { "advisory": "invenio-admin 1.1.1 has the minimum version of Flask-Admin bumped to v1.5.3 due to Cross-Site Scripting\r\n vulnerability in previous versions.", - "cve": null, + "cve": "PVE-2021-36759", "id": "pyup.io-36759", "specs": [ "<1.0.1", @@ -8092,7 +10489,7 @@ }, { "advisory": "invenio-admin 1.1.1 bumps Flask-Admin to v1.5.3 due to Cross-Site Scripting vulnerability in previous versions", - "cve": null, + "cve": "PVE-2021-38011", "id": "pyup.io-38011", "specs": [ "<1.1.1" @@ -8103,7 +10500,7 @@ "invenio-app": [ { "advisory": "Invenio-app 1.1.1 fixes a security issue where APP_ALLOWED_HOSTS was not always being checked, and thus could allow host header injection attacks.", - "cve": null, + "cve": "PVE-2021-37311", "id": "pyup.io-37311", "specs": [ "<1.1.1" @@ -8111,10 +10508,21 @@ "v": "<1.1.1" } ], + "invenio-app-ils": [ + { + "advisory": "Invenio-app-ils 1.0.0a28 adds cookies configuration for improved security.", + "cve": "PVE-2021-40030", + "id": "pyup.io-40030", + "specs": [ + "<1.0.0a28" + ], + "v": "<1.0.0a28" + } + ], "invenio-records": [ { "advisory": "Invenio-records 1.0.2 fixes a XSS vulnerability in the admin interface.", - "cve": null, + "cve": "PVE-2021-37322", "id": "pyup.io-37322", "specs": [ "<1.0.2" @@ -8125,7 +10533,7 @@ "invenio-search": [ { "advisory": "invenio-search 0.1.3 fixes a potential XSS issues by changing search flash messages template so that they are not displayed as safe HTML by default.", - "cve": null, + "cve": "PVE-2021-25856", "id": "pyup.io-25856", "specs": [ "<0.1.3" @@ -8133,6 +10541,17 @@ "v": "<0.1.3" } ], + "iotedgehubdev": [ + { + "advisory": "Lotedgehubdev 0.14.5 upgrades underlying dependencies to address vulnerability issues.", + "cve": "PVE-2021-40098", + "id": "pyup.io-40098", + "specs": [ + "<0.14.5" + ], + "v": "<0.14.5" + } + ], "ipsilon": [ { "advisory": "The Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly escape certain characters in a Python exception-message template, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via an HTTP response. See: CVE-2015-5216.", @@ -8147,7 +10566,7 @@ "ipwb": [ { "advisory": "ipwb 0.2018.08.29.1434 updates Flask use in ipwb replay due to a security vulnerability.", - "cve": null, + "cve": "PVE-2021-36492", "id": "pyup.io-36492", "specs": [ "<0.2018.08.29.1434" @@ -8156,7 +10575,7 @@ }, { "advisory": "Ipwb 0.2019.07.26.1435 updates Flask for replay to the latest version to address a security vulnerability in an older versions.", - "cve": null, + "cve": "PVE-2021-37304", "id": "pyup.io-37304", "specs": [ "<0.2019.07.26.1435" @@ -8187,7 +10606,7 @@ "irc3": [ { "advisory": "irc3 before 0.4.4 is vulnerable to several undisclosed security issues.", - "cve": null, + "cve": "PVE-2021-25859", "id": "pyup.io-25859", "specs": [ "<0.4.4" @@ -8195,6 +10614,17 @@ "v": "<0.4.4" } ], + "iroin-python-pptx": [ + { + "advisory": "Iroin-python-pptx 0.6.12 updates dependencies to avoid vulnerable the 'Pillow' package version.", + "cve": "PVE-2021-40563", + "id": "pyup.io-40563", + "specs": [ + "<0.6.12" + ], + "v": "<0.6.12" + } + ], "ironic-discoverd": [ { "advisory": "OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.", @@ -8233,7 +10663,7 @@ "iso6709": [ { "advisory": "iso6709 0.1.4 bumped development versions for security fixes", - "cve": null, + "cve": "PVE-2021-37250", "id": "pyup.io-37250", "specs": [ "<0.1.4" @@ -8244,7 +10674,7 @@ "isogeo-export-xl": [ { "advisory": "Isogeo-export-xl 1.3.0 updates bleach to fix a security alert.", - "cve": null, + "cve": "PVE-2021-38286", "id": "pyup.io-38286", "specs": [ "<1.3.0" @@ -8255,7 +10685,7 @@ "isso": [ { "advisory": "isso 0.6 fixes a cross-site request forgery vulnerability for comment creation, voting, editing and deletion.", - "cve": null, + "cve": "PVE-2021-25862", "id": "pyup.io-25862", "specs": [ "<0.6" @@ -8266,7 +10696,7 @@ "isso-cn": [ { "advisory": "Isso-cn 0.6 fixes a cross-site request forgery vulnerability for comment creation, voting, editing and deletion.", - "cve": null, + "cve": "PVE-2021-37714", "id": "pyup.io-37714", "specs": [ "<0.6" @@ -8275,7 +10705,7 @@ }, { "advisory": "Isso-cn 0.7 fixes a malicious HTML injection (due to wrong API usage). All unknown/unsafe HTML tags are now removed from the output (`html5lib` 0.99(9) or later) or properly escaped (older `html5lib` versions).", - "cve": null, + "cve": "PVE-2021-37713", "id": "pyup.io-37713", "specs": [ "<0.7" @@ -8283,10 +10713,39 @@ "v": "<0.7" } ], + "jake": [ + { + "advisory": "Jake 0.2.59 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.", + "cve": "CVE-2020-27783", + "id": "pyup.io-39256", + "specs": [ + "<0.2.59" + ], + "v": "<0.2.59" + }, + { + "advisory": "Jake 0.2.69 updates lxml because its version 4.6.2 is vulnerable to CVE-2021-28957.", + "cve": "CVE-2021-28957", + "id": "pyup.io-40819", + "specs": [ + "<0.2.69" + ], + "v": "<0.2.69" + }, + { + "advisory": "Jake 0.2.70 updates the 'PyYAML' dependency to version 5.4.1 to address CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.", + "cve": "CVE-2020-14343", + "id": "pyup.io-40820", + "specs": [ + "<0.2.70" + ], + "v": "<0.2.70" + } + ], "jarbas-utils": [ { "advisory": "jarbas-utils 0.5.1 casts encryption key to bytes", - "cve": null, + "cve": "PVE-2021-37883", "id": "pyup.io-37883", "specs": [ "<0.5.1" @@ -8297,7 +10756,7 @@ "jcrypt": [ { "advisory": "The encryption method in Jcrypt 1.1.0 includes security and speed improvements.", - "cve": null, + "cve": "PVE-2021-38425", "id": "pyup.io-38425", "specs": [ "<1.1.0" @@ -8308,7 +10767,7 @@ "jeIlyfish": [ { "advisory": "JeIlyfish is a malicious Python library caught stealing SSH and GPG keys. Note that the first \"L\" is a capital \"i\". Reference: .", - "cve": null, + "cve": "PVE-2021-38694", "id": "pyup.io-38694", "specs": [ ">0", @@ -8320,7 +10779,7 @@ "jetforce": [ { "advisory": "For security, unhandled exceptions in jetforce 0.2.0 display a generic error message instead of the plain exception string.", - "cve": null, + "cve": "PVE-2021-38130", "id": "pyup.io-38130", "specs": [ "<0.2.0" @@ -8329,7 +10788,7 @@ }, { "advisory": "Jetforce 0.2.3 fixes a security vulnerability that allowed maliciously crafted URLs to break out of the root server directory.", - "cve": null, + "cve": "PVE-2021-38324", "id": "pyup.io-38324", "specs": [ "<0.2.3" @@ -8340,7 +10799,7 @@ "jiant": [ { "advisory": "Jiant 1.2.0 updates the NLTK requirement to version 3.4.5 to avoid a potential security issue.", - "cve": null, + "cve": "PVE-2021-38864", "id": "pyup.io-38864", "specs": [ "<1.2.0" @@ -8351,7 +10810,7 @@ "jinja": [ { "advisory": "jinja 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.", - "cve": null, + "cve": "PVE-2021-25863", "id": "pyup.io-25863", "specs": [ "<2.7.2" @@ -8360,7 +10819,7 @@ }, { "advisory": "jinja 2.7.3 fixes a security issue: Corrected the security fix for the cache folder.", - "cve": null, + "cve": "PVE-2021-25864", "id": "pyup.io-25864", "specs": [ "<2.7.3" @@ -8369,9 +10828,18 @@ } ], "jinja2": [ + { + "advisory": "This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. See: CVE-2020-28493.", + "cve": "CVE-2020-28493", + "id": "pyup.io-39525", + "specs": [ + "<2.11.3" + ], + "v": "<2.11.3" + }, { "advisory": "jinja2 2.7.2 fixes a security issue: Changed the default folder for the filesystem cache to be user specific and read and write protected on UNIX systems. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747 for more information.", - "cve": null, + "cve": "PVE-2021-25865", "id": "pyup.io-25865", "specs": [ "<2.7.2" @@ -8390,7 +10858,7 @@ ], "jnitrace": [ { - "advisory": "Jnitrace 1.0.6 bumps version of minimilist to fix vulnerability CVE-2020-7598.", + "advisory": "Jnitrace 1.0.6 includes a fix for CVE-2020-7598: Minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", "cve": "CVE-2020-7598", "id": "pyup.io-38061", "specs": [ @@ -8400,7 +10868,7 @@ }, { "advisory": "Jnitrace 2.2.1 upgrades eslint-package to patch security vulnerability.", - "cve": null, + "cve": "PVE-2021-37427", "id": "pyup.io-37427", "specs": [ "<2.2.1" @@ -8408,19 +10876,19 @@ "v": "<2.2.1" }, { - "advisory": "Jnitrace 3.0.5 bumps version of acorn to 7.1.1 to fix vulnerability CVE-2020-7598.", + "advisory": "Jnitrace 3.0.5 includes a fix for CVE-2020-7598: Minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", "cve": "CVE-2020-7598", "id": "pyup.io-38060", "specs": [ - "<3.0.5" + ">=3.0.0,<3.0.5" ], - "v": "<3.0.5" + "v": ">=3.0.0,<3.0.5" } ], "jose": [ { "advisory": "jose 0.3.0 fixed critical JWT vulnerability.", - "cve": null, + "cve": "PVE-2021-25867", "id": "pyup.io-25867", "specs": [ "<0.3.0" @@ -8431,7 +10899,7 @@ "js-videojs": [ { "advisory": "js-videojs 4.12.5 updates videojs-swf to v4.5.4 to fix a potential security issue ([view](https://github.com/videojs/video.js/pull/1955)", - "cve": null, + "cve": "PVE-2021-36130", "id": "pyup.io-36130", "specs": [ "<4.12.5" @@ -8439,10 +10907,41 @@ "v": "<4.12.5" } ], + "jsoneditor": [ + { + "advisory": "Jsoneditor 2.2.2 fixes a security error in the server side file retriever script of the web application.", + "cve": "PVE-2021-40863", + "id": "pyup.io-40863", + "specs": [ + "<2.2.2" + ], + "v": "<2.2.2" + }, + { + "advisory": "Jsoneditor 9.0.2 includes fixes for XSS vulnerabilities.", + "cve": "PVE-2021-40862", + "id": "pyup.io-40862", + "specs": [ + "<9.0.2" + ], + "v": "<9.0.2" + } + ], + "jsonpickle": [ + { + "advisory": "Jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. See CVE-2020-22083.", + "cve": "CVE-2020-22083", + "id": "pyup.io-39319", + "specs": [ + "<=1.4.1" + ], + "v": "<=1.4.1" + } + ], "jsonrpc-pyclient": [ { "advisory": "jsonrpc-pyclient 0.7.0 fixes security issues in unixdomainsocket connectors.", - "cve": null, + "cve": "PVE-2021-25869", "id": "pyup.io-25869", "specs": [ "<0.7.0" @@ -8453,7 +10952,7 @@ "jumpssh": [ { "advisory": "Jumpssh 1.6.3 removes pytest-runner from setup_requires as this is deprecated for security reasons, see https://github.com/pytest-dev/pytest-runner", - "cve": null, + "cve": "PVE-2021-38051", "id": "pyup.io-38051", "specs": [ "<1.6.3" @@ -8475,7 +10974,7 @@ "jupyter-nbrequirements": [ { "advisory": "Jupyter-nbrequirements 0.6.0 bumps bleach from 3.1.0 to 3.1.1 because it provides better security.", - "cve": null, + "cve": "PVE-2021-38077", "id": "pyup.io-38077", "specs": [ "<0.6.0" @@ -8486,7 +10985,7 @@ "jupyter-server": [ { "advisory": "Jupyter-server 0.2.0 adds a \"secure_write\" to function for cookie/token saves. See: .", - "cve": null, + "cve": "PVE-2021-38212", "id": "pyup.io-38212", "specs": [ "<0.2.0" @@ -8501,12 +11000,21 @@ "<1.0.6" ], "v": "<1.0.6" + }, + { + "advisory": "Jupyter-server 1.1.0 includes a security advisory fix (pull 345).", + "cve": "PVE-2021-39272", + "id": "pyup.io-39272", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" } ], "jupyterhub": [ { "advisory": "The maintainers of jupyterhub acknowledge in their changelog notes for version 0.2 that when the environment dictionary is used for authentication as an admin, jupyterhub becomes vulnerable to pre-existing security issues because these environment variables may be passed to the user via the batch submit command.", - "cve": null, + "cve": "PVE-2021-38973", "id": "pyup.io-38973", "specs": [ "<=0.2" @@ -8514,6 +11022,66 @@ "v": "<=0.2" } ], + "jupyterhub-systemdspawner": [ + { + "advisory": "Jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units, which are accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default.", + "cve": "PVE-2021-39244", + "id": "pyup.io-39244", + "specs": [ + "<0.15" + ], + "v": "<0.15" + } + ], + "jupyterlab": [ + { + "advisory": "Jupyterlab 3.0.8 updates the 'marked' dependency to address a vulnerability. See also .", + "cve": "PVE-2021-40042", + "id": "pyup.io-40042", + "specs": [ + "<3.0.8" + ], + "v": "<3.0.8" + }, + { + "advisory": "Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability.", + "cve": "PVE-2021-41038", + "id": "pyup.io-41038", + "specs": [ + "<3.1.0" + ], + "v": "<3.1.0" + }, + { + "advisory": "Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability.", + "cve": "PVE-2021-40969", + "id": "pyup.io-40969", + "specs": [ + "<3.1.0b2" + ], + "v": "<3.1.0b2" + } + ], + "jupytext": [ + { + "advisory": "Jupytext 1.10.3 updates 'marked', an indirect dependency of the 'jupyterlab-jupytext' extension, to fix a moderate vulnerability (https://github.com/mwouts/jupytext/issues/750).", + "cve": "PVE-2021-40093", + "id": "pyup.io-40093", + "specs": [ + "<1.10.3" + ], + "v": "<1.10.3" + }, + { + "advisory": "Jupytext 1.11.3 updates dependencies of the 'JupyterLab' extension to fix a security vulnerability.", + "cve": "PVE-2021-40645", + "id": "pyup.io-40645", + "specs": [ + "<1.11.3" + ], + "v": "<1.11.3" + } + ], "jw.util": [ { "advisory": "An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. See: CVE-2020-13388.", @@ -8528,7 +11096,7 @@ "jwql": [ { "advisory": "Jwql 0.16.0 updates ``django`` to fix security issues.", - "cve": null, + "cve": "PVE-2021-37148", "id": "pyup.io-37148", "specs": [ "<0.16.0" @@ -8539,7 +11107,7 @@ "kafkacrypto": [ { "advisory": "Kafkacrypto 0.9.5 includes one low severity security fix identified during the crypto review.", - "cve": null, + "cve": "PVE-2021-37515", "id": "pyup.io-37515", "specs": [ "<0.9.5" @@ -8548,7 +11116,7 @@ }, { "advisory": "Kafkacrypto 0.9.8 includes:\r\n- Implementation of allowlist and denylists. This removes the need for separate code pathways for root of trusts, enabling them to be treated as entries in allowlist.\r\n- Implementation of automatic processing of messages to adjust allowlists, denylists, and chains. This enables very short chain lifetimes, a security benefit. It also enables a private key to self-sign that it should be revoked.\r\n- Implementation of a pathlength constraint for further tightening of chains. Minimum usable value is typically 1, unless the end of the chain will not sign any further messages.\r\n- Fix kafka wrapper poll implementation to make the timeout optional.", - "cve": null, + "cve": "PVE-2021-37560", "id": "pyup.io-37560", "specs": [ "<0.9.8" @@ -8559,7 +11127,7 @@ "kako": [ { "advisory": "Kako 1.1.0 updates a few dependencies to resolve dependabot complaints around security issues in `pyyaml`, `requests` and to resolve exceptions raised by `cerberus` when an incorrect simulation is provided.", - "cve": null, + "cve": "PVE-2021-38720", "id": "pyup.io-38720", "specs": [ "<1.1.0" @@ -8570,7 +11138,7 @@ "kalliope": [ { "advisory": "kalliope 0.5.3 update request lib to fix security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-36808", "id": "pyup.io-36808", "specs": [ "<0.5.3" @@ -8581,7 +11149,7 @@ "karlovic": [ { "advisory": "Karlovic 0.1.3beta includes a fix for a vulnerable Pillow function.", - "cve": null, + "cve": "PVE-2021-38963", "id": "pyup.io-38963", "specs": [ "<0.1.3beta" @@ -8592,7 +11160,7 @@ "katal": [ { "advisory": "katal before 0.0.6 uses eval() internally.", - "cve": null, + "cve": "PVE-2021-34247", "id": "pyup.io-34247", "specs": [ "<0.0.6" @@ -8603,7 +11171,7 @@ "katka-core": [ { "advisory": "katka-core 0.11.0 decreases the amount of gaping security holes", - "cve": null, + "cve": "PVE-2021-36914", "id": "pyup.io-36914", "specs": [ "<0.11.0" @@ -8614,7 +11182,7 @@ "katsdptelstate": [ { "advisory": "Katsdptelstate 0.9 disable pickles by default for security.", - "cve": null, + "cve": "PVE-2021-38321", "id": "pyup.io-38321", "specs": [ "<0.9" @@ -8625,7 +11193,7 @@ "kaze-python": [ { "advisory": "kaze-python 0.6.5 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", - "cve": null, + "cve": "PVE-2021-36494", "id": "pyup.io-36494", "specs": [ "<0.6.5" @@ -8634,7 +11202,7 @@ }, { "advisory": "kaze-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", - "cve": null, + "cve": "PVE-2021-36493", "id": "pyup.io-36493", "specs": [ "<0.7.8" @@ -8656,7 +11224,7 @@ "kedro-viz": [ { "advisory": "Kedro-viz 2.1.0 fixes an infosec vulnerability in LoDash (16).", - "cve": null, + "cve": "PVE-2021-37353", "id": "pyup.io-37353", "specs": [ "<2.1.0" @@ -8665,7 +11233,7 @@ }, { "advisory": "Kedro-viz 3.0.0 includes a Snyk fix for one, unspecified vulnerability.", - "cve": null, + "cve": "PVE-2021-37615", "id": "pyup.io-37615", "specs": [ "<3.0.0" @@ -8674,7 +11242,7 @@ }, { "advisory": "Kedro-viz 3.3.0 adds bandit for security scanning as a pre-commit hook.", - "cve": null, + "cve": "PVE-2021-38329", "id": "pyup.io-38329", "specs": [ "<3.3.0" @@ -8682,6 +11250,17 @@ "v": "<3.3.0" } ], + "keplergl": [ + { + "advisory": "Keplergl 2.4.0 fixes several security vulnerabilities (9a13ce68). No details were provided.", + "cve": "PVE-2021-39211", + "id": "pyup.io-39211", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], "keyring": [ { "advisory": "Python keyring lib before 0.10 created keyring files with world-readable permissions. See: CVE-2012-5577.", @@ -8713,9 +11292,9 @@ ], "keystone": [ { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", - "cve": "CVE-2020-12690", - "id": "pyup.io-38583", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. See: CVE-2020-12692.", + "cve": "CVE-2020-12692", + "id": "pyup.io-38584", "specs": [ "<15.0.1", "==16.0.0" @@ -8733,9 +11312,9 @@ "v": "<15.0.1,==16.0.0" }, { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. See: CVE-2020-12692.", - "cve": "CVE-2020-12692", - "id": "pyup.io-38584", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", + "cve": "CVE-2020-12690", + "id": "pyup.io-38583", "specs": [ "<15.0.1", "==16.0.0" @@ -8772,7 +11351,7 @@ "v": "==2013" }, { - "advisory": "It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Reportedly, all versions are affected. See also: CVE-2012-1572 and .", + "advisory": "It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Reportedly, all versions are affected. See also: CVE-2012-1572 and https://security.openstack.org/ossa/OSSA-2012-002.html.", "cve": "CVE-2012-1572", "id": "pyup.io-38586", "specs": [ @@ -8806,18 +11385,27 @@ "khoros": [ { "advisory": "Khoros 2.2.0 includes changes to the :doc:`supporting modules `. The ``yaml.load()`` function call got replaced with ``yaml.safe_load()`` in :py:func:`khoros.utils.helper.import_yaml_file` as it is a better security practice.", - "cve": null, + "cve": "PVE-2021-38223", "id": "pyup.io-38223", "specs": [ "<2.2.0" ], "v": "<2.2.0" + }, + { + "advisory": "Khoros 3.5.0 added the '.github/workflows/bandit.yml' GitHub Action workflow configuration file to leverage the 'Python security check using Bandit' action to perform security audits with each push event. It also changed the default value for the 'shell' parameter to be 'False' in the :py:func:khoros.utils.core_utils.run_cmd function to improve overall security of the library. See also .", + "cve": "PVE-2021-40102", + "id": "pyup.io-40102", + "specs": [ + "<3.5.0" + ], + "v": "<3.5.0" } ], "khorosjx": [ { "advisory": "khorosjx 2.3.1 upgrades the bleach package to version 3.1.1 to mitigate an XSS security issue", - "cve": null, + "cve": "PVE-2021-37935", "id": "pyup.io-37935", "specs": [ "<2.3.1" @@ -8826,7 +11414,7 @@ }, { "advisory": "Khorosjx 2.3.1 updates requirements.txt to use Bleach to version 3.1.1 to mitigate a security alert for a mutation XSS vulnerability. See: https://github.com/mozilla/bleach/security/advisories/GHSA-q65m-pv3f-wr5r", - "cve": null, + "cve": "PVE-2021-37961", "id": "pyup.io-37961", "specs": [ "<2.3.1" @@ -8835,7 +11423,7 @@ }, { "advisory": "Khorosjx 2.5.0 bumps the included version of bleach to 3.1.2 to mitigate an identified mutation XSS vulnerability. See: .", - "cve": null, + "cve": "PVE-2021-38236", "id": "pyup.io-38236", "specs": [ "<2.5.0" @@ -8844,7 +11432,7 @@ }, { "advisory": "Khorosjx 2.5.1 bumps the included version of bleach to 3.1.4 to include some security fixes.", - "cve": null, + "cve": "PVE-2021-38235", "id": "pyup.io-38235", "specs": [ "<2.5.1" @@ -8855,7 +11443,7 @@ "kinto": [ { "advisory": "kinto 12.0.2\r\n **security**: Fix a pagination bug in the PostgreSQL backend that could leak records between collections", - "cve": null, + "cve": "PVE-2021-36841", "id": "pyup.io-36841", "specs": [ "<12.0.2" @@ -8864,7 +11452,7 @@ }, { "advisory": "kinto 13.0.0 **security**: Fix a pagination bug in the PostgreSQL backend that could leak records between collections", - "cve": null, + "cve": "PVE-2021-36840", "id": "pyup.io-36840", "specs": [ "<13.0.0" @@ -8873,7 +11461,7 @@ }, { "advisory": "kinto 5.1.0 replaced insecure use of ``random.random()`` and ``random.choice(...)`` with more secure ``random.SystemRandom().random()`` and ``random.SystemRandom().choice(...)``.", - "cve": null, + "cve": "PVE-2021-25873", "id": "pyup.io-25873", "specs": [ "<5.1.0" @@ -8882,7 +11470,7 @@ }, { "advisory": "Kinto 5.3.5 prevents injections in the PostgreSQL permission backend.", - "cve": null, + "cve": "PVE-2021-38954", "id": "pyup.io-38954", "specs": [ "<5.3.5" @@ -8893,7 +11481,7 @@ "kinto-dist": [ { "advisory": "Signer parameters in kinto-dist before 15.0.2 were displayed in capabilities. This was a security concern.", - "cve": null, + "cve": "PVE-2021-37169", "id": "pyup.io-37169", "specs": [ "<15.0.2" @@ -8902,7 +11490,7 @@ }, { "advisory": "Kinto-dist 17.0.0 fixes a pagination bug in the PostgreSQL backend that could leak records between collections.", - "cve": null, + "cve": "PVE-2021-36153", "id": "pyup.io-36153", "specs": [ "<17.0.0" @@ -8911,7 +11499,7 @@ }, { "advisory": "Kinto-dist between 6.0.0 and 6.0.2 included Kinto 8.2.0 where the `account` plugin had a security flaw where the password wasn't verified during the session duration.", - "cve": null, + "cve": "PVE-2021-36291", "id": "pyup.io-36291", "specs": [ ">=6.0.0,<=6.0.2" @@ -8942,7 +11530,7 @@ "kiwitcms": [ { "advisory": "Kiwitcms 3.36.0 no longer include Regular Expression Denial of Service (ReDoS) vulnerabilities in the included `moment` Javascript library.", - "cve": null, + "cve": "PVE-2021-39074", "id": "pyup.io-39074", "specs": [ "<3.36.0" @@ -8951,7 +11539,7 @@ }, { "advisory": "Kiwitcms 3.8.102 fixes bug 1133912: Script injection in notes field.", - "cve": null, + "cve": "PVE-2021-39075", "id": "pyup.io-39075", "specs": [ "<3.8.102" @@ -8960,7 +11548,7 @@ }, { "advisory": "Kiwi TCMS 4.2:\r\n- Enables testing with Badit, Coverity Scan, pyup.io, andf Snyk\r\n- Uses SHA256 instead of MD5 and SHA1\r\n- Uses the `secrets` module for activation keys\r\n- Removes unnecessary AJAX view that had remote code execution vulnerability\r\n- Doesn't use hardcoded temporary directories\r\n- Upgrades to Patternfly 3.36.0, which fixes vulnerabilities https://snyk.io/vuln/npm:moment:20161019 and https://snyk.io/vuln/npm:moment:20170905", - "cve": null, + "cve": "PVE-2021-38543", "id": "pyup.io-38543", "specs": [ "<4.2" @@ -8969,7 +11557,7 @@ }, { "advisory": "Kiwitcms 6.0 updates to Django 2.1.2 (due to a high severity security issue) and to Patternfly 3.54.8.", - "cve": null, + "cve": "PVE-2021-36649", "id": "pyup.io-36649", "specs": [ "<6.0" @@ -8977,17 +11565,26 @@ "v": "<6.0" }, { - "advisory": "Kiwitcms 6.10 updates Django from 2.2.1 to 2.2.2 (see CVE-2019-12308 and CVE-2019-11358). Additionally, it adds missing permission checks for menus in Test run page UI template. Permission check are also added for TestExecution status and comment menu. See . Lastly, it re-enables static analysis with `bandit` and `Coverity Scan` in Travis CI.", - "cve": "CVE-2019-12308,CVE-2019-11358", + "advisory": "Kiwitcms 6.10 updates Django from 2.2.1 to 2.2.2 (see CVE-2019-12308). Additionally, it adds missing permission checks for menus in Test run page UI template. Permission check are also added for TestExecution status and comment menu. See . Lastly, it re-enables static analysis with `bandit` and `Coverity Scan` in Travis CI.", + "cve": "CVE-2019-12308", "id": "pyup.io-38537", "specs": [ "<6.10" ], "v": "<6.10" }, + { + "advisory": "Kiwitcms 6.10 includes a fix for CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", + "cve": "CVE-2019-11358", + "id": "pyup.io-39590", + "specs": [ + "<6.10" + ], + "v": "<6.10" + }, { "advisory": "Kiwi TCMS 6.11 updates 'Django' from 2.2.2 (which is known to not be secure) to 2.2.4.", - "cve": null, + "cve": "PVE-2021-38544", "id": "pyup.io-38544", "specs": [ "<6.11" @@ -8996,7 +11593,7 @@ }, { "advisory": "Kiwi TCMS 6.3 resolves a medium severity XSS vulnerability which can be exploited when previewing malicious text in Simple MDE editor. Additionally, it uses `mozilla/bleach` before rendering Markdown to the user as a second layer of protection against the previously mentioned XSS vulnerability.", - "cve": null, + "cve": "PVE-2021-38542", "id": "pyup.io-38542", "specs": [ "<6.3" @@ -9004,17 +11601,26 @@ "v": "<6.3" }, { - "advisory": "Kiwi TCMS 6.4 updates Django from 2.1.4 to 2.1.5, which deals with CVE-2019-3498. It also update Patternfly to version 3.59.0, which deals with an XSS issue in bootstrap (CVE-2018-14041). By default session cookies will expire after 24 hours. This can now be controlled via the ``SESSION_COOKIE_AGE`` setting. See .", - "cve": "CVE-2019-3498,CVE-2018-14041", + "advisory": "Kiwitcms 6.4 includes fix for CVE-2019-3498: In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.", + "cve": "CVE-2019-3498", "id": "pyup.io-38541", "specs": [ "<6.4" ], "v": "<6.4" }, + { + "advisory": "Kiwi TCMS 6.4 updates Patternfly to version 3.59.0, which deals with an XSS issue in bootstrap (CVE-2018-14041 - In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy). By default session cookies will expire after 24 hours. This can now be controlled via the ``SESSION_COOKIE_AGE`` setting. See https://github.com/kiwitcms/Kiwi/issues/556.", + "cve": "CVE-2018-14041", + "id": "pyup.io-39589", + "specs": [ + "<6.4" + ], + "v": "<6.4" + }, { "advisory": "Kiwi TCMS 6.5 includes a better override of SimpleMDE markdown rendering to prevent XSS vulnerabilities in SimpleMDE.", - "cve": null, + "cve": "PVE-2021-38540", "id": "pyup.io-38540", "specs": [ "<6.5" @@ -9032,7 +11638,7 @@ }, { "advisory": "Kiwi TCMS 6.6 explicitly requires marked v0.6.1 to fix medium severity ReDoS vulnerability.", - "cve": null, + "cve": "PVE-2021-38538", "id": "pyup.io-38538", "specs": [ "<6.6" @@ -9041,7 +11647,7 @@ }, { "advisory": "Kiwi TCMS 7.0 removes the API method ``BugSystem.filter()``. It was possible to use this method to steal passwords or keys used for Issue Tracker integration. This vulnerability could be exploited by users logged into Kiwi TCMS and is classified as medium severity.", - "cve": null, + "cve": "PVE-2021-38536", "id": "pyup.io-38536", "specs": [ "<7.0" @@ -9058,7 +11664,7 @@ "v": "<7.3" }, { - "advisory": "Kiwi TCMS 8.1 prevents an XSS attack via tags by having the JSON-RPC handler escape all HTML strings. Additionally, it updates Django from 3.0.3 to 3.0.4, which fixes security issue CVE-2020-9402.", + "advisory": "Kiwitcms 8.1 includes a fix for CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", "cve": "CVE-2020-9402", "id": "pyup.io-37503", "specs": [ @@ -9070,7 +11676,7 @@ "knowledge-repo": [ { "advisory": "knowledge-repo 0.8.0 removed two security vulnerabilities associated with arbitrary code execution from code stored in knowledge repositories on both clients and servers via knowledge repository configuration and embedded tooling.", - "cve": null, + "cve": "PVE-2021-36510", "id": "pyup.io-36510", "specs": [ "<0.8.0" @@ -9081,7 +11687,7 @@ "kotti": [ { "advisory": "kotti 1.3.2 fixes a CSRF (Cross Site Request Forgery) security vulnerablity which was reported in 551. You should upgrade your installations ASAP.", - "cve": null, + "cve": "PVE-2021-36142", "id": "pyup.io-36142", "specs": [ "<1.3.2" @@ -9091,7 +11697,7 @@ ], "kuber": [ { - "advisory": "Kuber 10.0.1 bumps the urllib3 version to pick up security fix for CVE-2019-11324.", + "advisory": "Kuber 10.0.1 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-38099", "specs": [ @@ -9100,7 +11706,7 @@ "v": "<10.0.1" }, { - "advisory": "Kuber 9.0.0a1 bumps urllib3 version to pick up security fix for CVE-2018-20060.", + "advisory": "Kuber 9.0.0a1 includes a fix for CVE-2018-20060: urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.", "cve": "CVE-2018-20060", "id": "pyup.io-36979", "specs": [ @@ -9111,46 +11717,30 @@ ], "kubernetes": [ { - "advisory": "kubernetes 7.0.1 bumps urllib3 version to pick up security fix for CVE-2018-20060 [kubernetes-client/python#707](https://github.com/kubernetes-client/python/pull/707)", + "advisory": "Kubernetes 7.0.1, 8.0.1 and 9.0.0a1 include a fix for CVE-2018-20060: urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.", "cve": "CVE-2018-20060", "id": "pyup.io-36762", "specs": [ - "<7.0.1" + "<7.0.1", + ">=8.0,<8.0.1", + ">=9.0,<9.0.0a1" ], - "v": "<7.0.1" + "v": "<7.0.1,>=8.0,<8.0.1,>=9.0,<9.0.0a1" }, { - "advisory": "Kubernetes 10.0.1 Bumps urllib3 version to pick up security fix for CVE-2019-11324. See: .", + "advisory": "Kubernetes 10.0.1 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-38036", "specs": [ ">=10.0,<10.0.1" ], "v": ">=10.0,<10.0.1" - }, - { - "advisory": "Kubernetes 8.0.1 Bumps urllib3 version to pick up security fix for CVE-2018-20060 - see: https://github.com/kubernetes-client/python/pull/707", - "cve": "CVE-2018-20060", - "id": "pyup.io-36761", - "specs": [ - ">=8.0,<8.0.1" - ], - "v": ">=8.0,<8.0.1" - }, - { - "advisory": "Kubernetes 9.0.0a1 Bumps urllib3 version to pick up security fix for CVE-2018-20060 - see: https://github.com/kubernetes-client/python/pull/707", - "cve": "CVE-2018-20060", - "id": "pyup.io-36760", - "specs": [ - ">=9.0,<9.0.0a1" - ], - "v": ">=9.0,<9.0.0a1" - } - ], - "kubernetes-asyncio": [ + } + ], + "kubernetes-asyncio": [ { "advisory": "kubernetes-asyncio 8.0.3 uses `yaml.safe_load`, `yaml.safe_dump` for security reasons.", - "cve": null, + "cve": "PVE-2021-36777", "id": "pyup.io-36777", "specs": [ "<8.0.3" @@ -9172,7 +11762,7 @@ "kytos": [ { "advisory": "Kytos 2019.1b1 updates the 'pyyaml' and 'requests' requirements versions, in order to fix vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38938", "id": "pyup.io-38938", "specs": [ "<2019.1b1" @@ -9181,7 +11771,7 @@ }, { "advisory": "kytos 2019.1b3 change: Changed some dependencies versions in order to fix security bugs", - "cve": null, + "cve": "PVE-2021-37226", "id": "pyup.io-37226", "specs": [ "<2019.1b3" @@ -9192,7 +11782,7 @@ "kytos-utils": [ { "advisory": "kytos-utils 2019.1b3 change: Updated requirements versions in order to fix some security bugs", - "cve": null, + "cve": "PVE-2021-37225", "id": "pyup.io-37225", "specs": [ "<2019.1b3" @@ -9203,7 +11793,7 @@ "lambda-tools": [ { "advisory": "lambda-tools before 0.1.2 used an unsafe way to load untrusted lambda definitions via `yaml.load`.", - "cve": null, + "cve": "PVE-2021-35209", "id": "pyup.io-35209", "specs": [ "<0.1.2" @@ -9211,21 +11801,10 @@ "v": "<0.1.2" } ], - "lambda-warmer-py": [ - { - "advisory": "Lambda-warmer-py 1.2.0 upgrades the lodash dependency for security issues [131577c].", - "cve": null, - "id": "pyup.io-37371", - "specs": [ - "<1.2.0" - ], - "v": "<1.2.0" - } - ], "lambdajson": [ { "advisory": "lambdajson 0.1.5 includes a security fix. Using ast.literal_eval as eval.", - "cve": null, + "cve": "PVE-2021-25874", "id": "pyup.io-25874", "specs": [ "<0.1.5" @@ -9236,7 +11815,7 @@ "lander": [ { "advisory": "Lander 0.1.15 updates 'requests' to 2.20.0 for security reasons.", - "cve": null, + "cve": "PVE-2021-38375", "id": "pyup.io-38375", "specs": [ "<0.1.15" @@ -9247,7 +11826,7 @@ "lando": [ { "advisory": "Lando 0.11.3 adds `cluster_api_settings .ssl_ca_cert` config flag to allow secure k8s connections. See .", - "cve": null, + "cve": "PVE-2021-37414", "id": "pyup.io-37414", "specs": [ "<0.11.3" @@ -9258,7 +11837,7 @@ "language-formatters-pre-commit-hooks": [ { "advisory": "Language-formatters-pre-commit-hooks 1.6.0 enhances its security in commands execution to prevent shell-injection.", - "cve": null, + "cve": "PVE-2021-38926", "id": "pyup.io-38926", "specs": [ "<1.6.0" @@ -9269,7 +11848,7 @@ "lapdog": [ { "advisory": "Lapdog 0.18.7 improves API security by switching to custom Lapdog OAuth tokens. Currently this is only supported by Broad accounts. Non-broad accounts will continue to use standard Google application-default credentials when authenticating through the Lapdog API.", - "cve": null, + "cve": "PVE-2021-37597", "id": "pyup.io-37597", "specs": [ "<0.18.7" @@ -9280,7 +11859,7 @@ "launchdarkly-server-sdk": [ { "advisory": "Setting `verify_ssl` to `False` in the client configuration of launchdarkly-server-sdk before 6.12.2 did not have the expected effect of completely turning off SSL/TLS verification, because it still left _certificate_ verification in effect, so it would allow a totally insecure connection but reject a secure connection whose certificate had an unknown CA. This has been changed so that it will turn off certificate verification as well. This is not a recommended practice and a future version of the SDK will add a way to specify a custom certificate authority instead (to support, for instance, using the Relay Proxy with a self-signed certificate).", - "cve": null, + "cve": "PVE-2021-38082", "id": "pyup.io-38082", "specs": [ "<6.12.2" @@ -9288,21 +11867,86 @@ "v": "<6.12.2" } ], + "launchkey": [ + { + "advisory": "Launchkey 3.9.1 bumps the 'urllib3' due to a security vulnerability.", + "cve": "PVE-2021-40654", + "id": "pyup.io-40654", + "specs": [ + "<3.9.1" + ], + "v": "<3.9.1" + } + ], "layeredimage": [ { "advisory": "Layeredimage 2020.6.4 updates pyora, which has security benefits.", - "cve": null, + "cve": "PVE-2021-38288", "id": "pyup.io-38288", "specs": [ "<2020.6.4" ], "v": "<2020.6.4" + }, + { + "advisory": "Layeredimage 2021.2.1 includes a fix for CVE-2021-27923: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27923", + "id": "pyup.io-40327", + "specs": [ + "<2021.2.1" + ], + "v": "<2021.2.1" + }, + { + "advisory": "Layeredimage 2021.2.1 includes a fix for CVE-2021-27922: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27922", + "id": "pyup.io-40331", + "specs": [ + "<2021.2.1" + ], + "v": "<2021.2.1" + }, + { + "advisory": "Layeredimage 2021.2.1 updates the 'Pillow' dependency >= 8.1.1 due to high severity security vulnerabilities (CVE-2020-35654).", + "cve": "CVE-2020-35654", + "id": "pyup.io-40328", + "specs": [ + "<2021.2.1" + ], + "v": "<2021.2.1" + }, + { + "advisory": "Layeredimage 2021.2.1 updates the 'Pillow' dependency >= 8.1.1 due to high severity security vulnerabilities (CVE-2020-35655).", + "cve": "CVE-2020-35655", + "id": "pyup.io-40332", + "specs": [ + "<2021.2.1" + ], + "v": "<2021.2.1" + }, + { + "advisory": "Layeredimage 2021.2.1 includes a fix for CVE-2021-27921: Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.", + "cve": "CVE-2021-27921", + "id": "pyup.io-40330", + "specs": [ + "<2021.2.1" + ], + "v": "<2021.2.1" + }, + { + "advisory": "Layeredimage 2021.0.1 includes a fix for CVE-2020-35653: In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", + "cve": "CVE-2020-35653", + "id": "pyup.io-40329", + "specs": [ + "<2021.2.1" + ], + "v": "<2021.2.1" } ], "ldap3": [ { "advisory": "ldap3 before 0.9.5.4 has several security issues in lazy connections.", - "cve": null, + "cve": "PVE-2021-25875", "id": "pyup.io-25875", "specs": [ "<0.9.5.4" @@ -9311,7 +11955,7 @@ }, { "advisory": "ldap3 2.4 includes a security fix in the rebind() method of the Connection object.", - "cve": null, + "cve": "PVE-2021-35053", "id": "pyup.io-35053", "specs": [ "<2.4" @@ -9322,18 +11966,38 @@ "lemur": [ { "advisory": "lemur 0.1.5 switched from use a AES static key to Fernet encryption.", - "cve": null, + "cve": "PVE-2021-25876", "id": "pyup.io-25876", "specs": [ "<0.1.5" ], "v": "<0.1.5" + }, + { + "advisory": "Lemur 0.9.0 fixes three critical vulnerabilities where an authenticated user could retrieve/access unauthorized information. See also .", + "cve": "PVE-2021-40028", + "id": "pyup.io-40028", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], + "libhxl": [ + { + "advisory": "For web-security reasons, libhxl 4.21.3 blocks the fetching of datasets from localhost, *.localdomain (or any dotted quad) unless allow_local is True.", + "cve": "PVE-2021-39450", + "id": "pyup.io-39450", + "specs": [ + "<4.21.3" + ], + "v": "<4.21.3" } ], "libtaxii": [ { "advisory": "libtaxii before 1.1.105 has multiple XML parsing related vulnerabilities.", - "cve": null, + "cve": "PVE-2021-25877", "id": "pyup.io-25877", "specs": [ "<1.1.105" @@ -9344,7 +12008,7 @@ "lifx-control-panel": [ { "advisory": "Lifx-control-panel 1.5.4 fixes a pretty major security exploit. It adds safe-scopes to all `eval()` calls.", - "cve": null, + "cve": "PVE-2021-37424", "id": "pyup.io-37424", "specs": [ "<1.5.4" @@ -9353,7 +12017,7 @@ }, { "advisory": "Lifx-control-panel 1.6.3 removes all `eval()` statements for security.", - "cve": null, + "cve": "PVE-2021-37423", "id": "pyup.io-37423", "specs": [ "<1.6.3" @@ -9362,7 +12026,7 @@ }, { "advisory": "lifx-control-panel 1.7.6:\r\n* Pyinstaller 3.6 fixes several security vulnerabilities \r\n* Updated other key repositories, increasing security and speed", - "cve": null, + "cve": "PVE-2021-37853", "id": "pyup.io-37853", "specs": [ "<1.7.6" @@ -9370,6 +12034,17 @@ "v": "<1.7.6" } ], + "line-item-manager": [ + { + "advisory": "Line-item-manager 0.2.2 upgrades the 'jinja2' dependency to 2.11.3 and the 'PyYAML' due to security vulnerabilities.", + "cve": "PVE-2021-40555", + "id": "pyup.io-40555", + "specs": [ + "<0.2.2" + ], + "v": "<0.2.2" + } + ], "lithops": [ { "advisory": "Lithops 1.0.1 fixes a flask security issues. See: CVE-2018-1000656.", @@ -9393,7 +12068,7 @@ "livefyre": [ { "advisory": "livefyre before 2.0.3 uses a release of a transitive dependency with known security vulnerabilities (PyJWT).", - "cve": null, + "cve": "PVE-2021-34170", "id": "pyup.io-34170", "specs": [ "<2.0.3" @@ -9404,7 +12079,7 @@ "locustio": [ { "advisory": "locustio before 0.7 uses pickle.", - "cve": null, + "cve": "PVE-2021-25878", "id": "pyup.io-25878", "specs": [ "<0.7" @@ -9446,7 +12121,7 @@ "luckycharms": [ { "advisory": "Luckycharms 0.5.2 upgrades some dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37144", "id": "pyup.io-37144", "specs": [ "<0.5.2" @@ -9457,7 +12132,7 @@ "luigi": [ { "advisory": "luigi 2.1.1 fixes a security issue where malicious users can run arbitrary code if they have file system (even external mounts!)+network access on the machine running luigid (executed by the user that you run luigid with).", - "cve": null, + "cve": "PVE-2021-34671", "id": "pyup.io-34671", "specs": [ "<2.1.1" @@ -9466,7 +12141,7 @@ }, { "advisory": "luigi before 2.7.5 allowed an xss attack using GET parameters, relying on the Jquery `append` function.", - "cve": null, + "cve": "PVE-2021-36315", "id": "pyup.io-36315", "specs": [ "<2.7.5" @@ -9477,7 +12152,7 @@ "lurklite": [ { "advisory": "Lurklite 0.4.9 includes a change that allows Discord administrators to be specified with user IDs as well as usernamediscriminator, improving security with username changes.", - "cve": null, + "cve": "PVE-2021-38394", "id": "pyup.io-38394", "specs": [ "<0.4.9" @@ -9497,7 +12172,7 @@ }, { "advisory": "In lxml before 4.4.0, when writing to file paths that contain the URL escape character '%', the file path could wrongly be mangled by URL unescaping and thus write to a different file or directory. Code that writes to file paths that are provided by untrusted sources, but that must work with previous versions of lxml, should best either reject paths that contain '%' characters, or otherwise make sure that the path does not contain maliciously injected '%XX' URL hex escapes for paths like '../'.", - "cve": null, + "cve": "PVE-2021-39195", "id": "pyup.io-39195", "specs": [ "<4.4.0" @@ -9506,7 +12181,7 @@ }, { "advisory": "Lxml 4.6.1 includes a fix for a vulnerability that was discovered in the HTML Cleaner, which allowed JavaScript to pass through. The cleaner now removes more sneaky \"style\" content.", - "cve": null, + "cve": "PVE-2021-38892", "id": "pyup.io-38892", "specs": [ "<4.6.1" @@ -9514,19 +12189,28 @@ "v": "<4.6.1" }, { - "advisory": "In lxml before version 4.6.2, a vulnerability was discovered in the HTML Cleaner which allowed JavaScript to pass through. The cleaner now removes more sneaky \"style\" content.", + "advisory": "A XSS vulnerability was discovered in python-lxml's clean module prior to 4.6.2. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code. See: CVE-2020-27783.", "cve": "CVE-2020-27783", "id": "pyup.io-39194", "specs": [ "<4.6.2" ], "v": "<4.6.2" + }, + { + "advisory": "An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.", + "cve": "CVE-2021-28957", + "id": "pyup.io-40072", + "specs": [ + "<4.6.3" + ], + "v": "<4.6.3" } ], "mackup": [ { "advisory": "Mackup 0.8.28 includes a vulnerability fix. No details were given.", - "cve": null, + "cve": "PVE-2021-38383", "id": "pyup.io-38383", "specs": [ "<0.8.28" @@ -9537,7 +12221,7 @@ "maestral": [ { "advisory": "Communication between the sync daemon and frontend (GUI or CLI) in maestral 0.4.1 is faster and more secure than in previous versions. Additionally, it uses Unix domain sockets instead of TCP/IP sockets for communication with daemon. This means that communication is lighter, faster and more secure (other users on the same PC can no longer connect to your sync daemon).", - "cve": null, + "cve": "PVE-2021-37523", "id": "pyup.io-37523", "specs": [ "<0.4.1" @@ -9548,7 +12232,7 @@ "maestrowf": [ { "advisory": "Maestrowf 1.1.6 updates PyYAML to a more secure version.", - "cve": null, + "cve": "PVE-2021-38297", "id": "pyup.io-38297", "specs": [ "<1.1.6" @@ -9626,7 +12310,7 @@ "manifest-tool": [ { "advisory": "Manifest-tool 2.0.0 adds an option to sign candidate image using update private key, allowing to implement secure boot on a device side.", - "cve": null, + "cve": "PVE-2021-38628", "id": "pyup.io-38628", "specs": [ "<2.0.0" @@ -9650,7 +12334,7 @@ "mantissa": [ { "advisory": "mantissa before 0.6.14 in xmantissa.webtheme allows access to arbitrary filesystem contents.", - "cve": null, + "cve": "PVE-2021-25883", "id": "pyup.io-25883", "specs": [ "<0.6.14" @@ -9660,18 +12344,18 @@ ], "markdown2": [ { - "advisory": "markdown2 before 1.0.1.14 has a security hole in the md5-hashing scheme for handling HTML chunks during processing.", - "cve": null, - "id": "pyup.io-25884", + "advisory": "Python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. See CVE-2009-3724.", + "cve": "CVE-2009-3724", + "id": "pyup.io-37735", "specs": [ "<1.0.1.14" ], "v": "<1.0.1.14" }, { - "advisory": "Python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. See CVE-2009-3724.", - "cve": "CVE-2009-3724", - "id": "pyup.io-37735", + "advisory": "markdown2 before 1.0.1.14 has a security hole in the md5-hashing scheme for handling HTML chunks during processing.", + "cve": "PVE-2021-25884", + "id": "pyup.io-25884", "specs": [ "<1.0.1.14" ], @@ -9679,7 +12363,7 @@ }, { "advisory": "markdown2 before 1.0.1.15 is vulnerable to a XSS attack via JavaScript injection in a carefully crafted image reference (usage of double-quotes in the URL).", - "cve": null, + "cve": "PVE-2021-25885", "id": "pyup.io-25885", "specs": [ "<1.0.1.15" @@ -9703,6 +12387,15 @@ "<=2.3.8" ], "v": "<=2.3.8" + }, + { + "advisory": "markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time. See CVE-2021-26813.", + "cve": "CVE-2021-26813", + "id": "pyup.io-39670", + "specs": [ + ">=1.0.1.18,<2.4.0" + ], + "v": ">=1.0.1.18,<2.4.0" } ], "marshmallow": [ @@ -9737,7 +12430,7 @@ "martypy": [ { "advisory": "martypy 1.2 requests security issues in `requests` and `urllib3` dependencies", - "cve": null, + "cve": "PVE-2021-36739", "id": "pyup.io-36739", "specs": [ "<1.2" @@ -9745,6 +12438,28 @@ "v": "<1.2" } ], + "masz": [ + { + "advisory": "Masz 1.8.1 improves filesystem security.", + "cve": "PVE-2021-40625", + "id": "pyup.io-40625", + "specs": [ + "<1.8.1" + ], + "v": "<1.8.1" + } + ], + "matrix-registration": [ + { + "advisory": "Matrix-registration 0.7.1 updates the waitress dependency because versions below 1.4.2 contain a vulnerability. See CVE-2019-16789.", + "cve": "CVE-2019-16789", + "id": "pyup.io-39271", + "specs": [ + "<0.7.1" + ], + "v": "<0.7.1" + } + ], "matrix-sydent": [ { "advisory": "util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registration restrictions that are based on e-mail domain, if the allowed_local_3pids option is enabled. This occurs because of potentially unwanted behavior in Python, in which an email.utils.parseaddr call on user@bad.example.net@good.example.com returns the user@bad.example.net substring. See: CVE-2019-11340.", @@ -9756,10 +12471,32 @@ "v": "<1.0.2" } ], + "matrix-synapse": [ + { + "advisory": "Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 \"Push rules\" can specify conditions under which they will match, including `event_match`, which matches event content against a pattern including wildcards. Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events. The issue is patched in version 1.33.2. A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.", + "cve": "CVE-2021-29471", + "id": "pyup.io-40438", + "specs": [ + "<1.33.2" + ], + "v": "<1.33.2" + } + ], + "matrixctl": [ + { + "advisory": "Matrixctl 0.10.0 starts to use secure, temporary directory for ansible_runner's private data.", + "cve": "PVE-2021-40785", + "id": "pyup.io-40785", + "specs": [ + "<0.10.0" + ], + "v": "<0.10.0" + } + ], "matthisk-httpsig": [ { "advisory": "matthisk-httpsig before 1.0.0 allowed reading keyfiles from disk as this is a huge security hole if this is used in a server framework like drf-httpsig.", - "cve": null, + "cve": "PVE-2021-25886", "id": "pyup.io-25886", "specs": [ "<1.0.0" @@ -9770,7 +12507,7 @@ "mautrix-telegram": [ { "advisory": "Mautrix-telegram 0.6.0 fixes a vulnerability in event handling.", - "cve": null, + "cve": "PVE-2021-37432", "id": "pyup.io-37432", "specs": [ "<0.6.0" @@ -9781,7 +12518,7 @@ "maxminddb": [ { "advisory": "maxminddb 1.1.2 includes a number of important security fixes. Among these fixes is improved validation of the database metadata. Unfortunately, MaxMind GeoIP2 and GeoLite2 databases created earlier than January 28, 2014 had an invalid data type for the `record_size` in the metadata. Previously these databases worked on little endian machines with libmaxminddb but did not work on big endian machines. Due to increased safety checks when reading the file, these databases will no longer work on any platform. If you are using one of these databases, we recommend that you upgrade to the latest GeoLite2 or GeoIP2 database", - "cve": null, + "cve": "PVE-2021-25887", "id": "pyup.io-25887", "specs": [ "<1.1.2" @@ -9792,7 +12529,7 @@ "mdbackup": [ { "advisory": "Mdbackup 0.2.0 comes with some bug fixes that made the utility more secure. It introduces the ``Vault secret backend``, where important data (like passwords) can be stored, and the ``File secret backend`` (a fallback secret backend) where secrets are read from the file system directly.", - "cve": null, + "cve": "PVE-2021-37725", "id": "pyup.io-37725", "specs": [ "<0.2.0" @@ -9803,7 +12540,7 @@ "mdcatch": [ { "advisory": "Mdcatch 0.9.1 increases security by removing \"shell=True\".", - "cve": null, + "cve": "PVE-2021-38433", "id": "pyup.io-38433", "specs": [ "<0.9.1" @@ -9814,7 +12551,7 @@ "mega.py": [ { "advisory": "Mega.py 3.6.2 includes SMS verification for enhanced security.", - "cve": null, + "cve": "PVE-2021-37617", "id": "pyup.io-37617", "specs": [ "<3.6.2" @@ -9825,7 +12562,7 @@ "megalib": [ { "advisory": "Megalib 0.9.5alpha updates requirements.txt to fix a vulnerability.", - "cve": null, + "cve": "PVE-2021-37099", "id": "pyup.io-37099", "specs": [ "<0.9.5alpha" @@ -9858,7 +12595,7 @@ "metadataproxy": [ { "advisory": "metadataproxy before 1.1.1 has a flaw in the proxy functionality when used in passthrough mode that would expose the host's IAM role credentials when extra paths were added to the end of the security-credentials end-point. metadataproxy will now properly capture any call to iam/security-credentials/ and return the scoped credentials, rather than the host's credentials.", - "cve": null, + "cve": "PVE-2021-25888", "id": "pyup.io-25888", "specs": [ "<1.1.1" @@ -9869,7 +12606,7 @@ "metpx-sarracenia": [ { "advisory": "Metpx-sarracenia 2.20.04b2 removes recursion in the connection recovery, which was vulnerable to stack exhaustion on long failures.", - "cve": null, + "cve": "PVE-2021-38182", "id": "pyup.io-38182", "specs": [ "<2.20.04b2" @@ -9880,7 +12617,7 @@ "metron-tagger": [ { "advisory": "Metron-tagger 1.0.7 uses a more secure SSL context.", - "cve": null, + "cve": "PVE-2021-38645", "id": "pyup.io-38645", "specs": [ "<1.0.7" @@ -9891,7 +12628,7 @@ "mezzanine": [ { "advisory": "mezzanine 4.3.0 fixes a potential security vulnerability in which the password reset url is exposed to untrusted intermediary nodes in the network.", - "cve": null, + "cve": "PVE-2021-36270", "id": "pyup.io-36270", "specs": [ "<4.3.0" @@ -9902,7 +12639,7 @@ "mgp2pdf": [ { "advisory": "In mgp2pdf before 0.10 `%filter`` is enabled by default which is a security risk.", - "cve": null, + "cve": "PVE-2021-25889", "id": "pyup.io-25889", "specs": [ "<0.10" @@ -9913,7 +12650,7 @@ "mi": [ { "advisory": "Mi 0.1 removes ``pyramid.session.signed_serialize``, and ``pyramid.session.signed_deserialize``. These methods were only used by the now-removed ``pyramid.session.UnencryptedCookieSessionFactoryConfig`` and were coupled to the vulnerable pickle serialization format which could lead to remove code execution if the secret key is compromised. See: .", - "cve": null, + "cve": "PVE-2021-38079", "id": "pyup.io-38079", "specs": [ "<0.1" @@ -9922,7 +12659,7 @@ }, { "advisory": "Mi 0.2 adds ACL-based security.", - "cve": null, + "cve": "PVE-2021-37998", "id": "pyup.io-37998", "specs": [ "<0.2" @@ -9931,7 +12668,7 @@ }, { "advisory": "mi 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server. The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.", - "cve": null, + "cve": "PVE-2021-37993", "id": "pyup.io-37993", "specs": [ "<0.4.2" @@ -9940,7 +12677,7 @@ }, { "advisory": "In mi before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``. This was a security risk if left unchanged in a project that used one of the templates to produce production applications. It now uses a randomly generated string.", - "cve": null, + "cve": "PVE-2021-37982", "id": "pyup.io-37982", "specs": [ "<1.0a3" @@ -9949,7 +12686,7 @@ }, { "advisory": "The default Mako renderer in mi version 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See https://github.com/Pylons/pyramid/issues/193.", - "cve": null, + "cve": "PVE-2021-37979", "id": "pyup.io-37979", "specs": [ "<1.1a1" @@ -9958,7 +12695,7 @@ }, { "advisory": "The AuthTktAuthenticationPolicy before mi 1.3a1 did not use a timing-attack-aware string comparator. See https://github.com/Pylons/pyramid/pull/320 for more info.", - "cve": null, + "cve": "PVE-2021-37974", "id": "pyup.io-37974", "specs": [ "<1.3a1" @@ -9967,7 +12704,7 @@ }, { "advisory": "Mi 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: . Additionally, it avoids timing attacks against CSRF tokens. See: .", - "cve": null, + "cve": "PVE-2021-38003", "id": "pyup.io-38003", "specs": [ "<1.6a1" @@ -9984,10 +12721,172 @@ "v": "<1.6a2" } ], + "mikado": [ + { + "advisory": "Mikado 2.1.0 removes unsafe calls to 'tempfile.mktemp' and other such files, for increased security according to CodeQL.", + "cve": "PVE-2021-40159", + "id": "pyup.io-40159", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" + } + ], + "mindspore": [ + { + "advisory": "Mindspore 0.5.0b includes a fix for CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.", + "cve": "CVE-2020-11655", + "id": "pyup.io-40834", + "specs": [ + "<0.5.0b" + ], + "v": "<0.5.0b" + }, + { + "advisory": "Mindspore 0.5.0b includes a fix for CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39760", + "specs": [ + "<0.5.0b" + ], + "v": "<0.5.0b" + }, + { + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13632", + "id": "pyup.io-39755", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta updates sqlite to 3.32.2 to handle CVE-2020-11656, CVE-2020-13871, CVE-2020-11655, CVE-2020-9327, CVE-2020-13630, CVE-2020-15358, CVE-2020-13631, CVE-2020-13632, CVE-2020-13434, CVE-2020-13435, and CVE-2020-15358.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39758", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13434.", + "cve": "CVE-2020-13434", + "id": "pyup.io-40840", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13435.", + "cve": "CVE-2020-13435", + "id": "pyup.io-40841", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13871.", + "cve": "CVE-2020-13871", + "id": "pyup.io-40833", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-9327.", + "cve": "CVE-2020-9327", + "id": "pyup.io-40835", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13630.", + "cve": "CVE-2020-13630", + "id": "pyup.io-40836", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-15358.", + "cve": "CVE-2020-15358", + "id": "pyup.io-40837", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13631.", + "cve": "CVE-2020-13631", + "id": "pyup.io-40838", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta includes a fix for CVE-2020-13871: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39761", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta includes a fix for CVE-2020-9327: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39759", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.5.0beta upgrades the 'SQLite' dependency to 3.32.2 to handle CVE-2020-13632.", + "cve": "CVE-2020-13632", + "id": "pyup.io-40839", + "specs": [ + "<0.5.0beta" + ], + "v": "<0.5.0beta" + }, + { + "advisory": "Mindspore 0.6.0b, 0.7.0b and 1.0.0 updates the underlying 'libjpeg-turbo' dependency to 2.0.4 to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-41016", + "specs": [ + "<0.6.0b", + "<0.7.0b", + "<1.0.0" + ], + "v": "<0.6.0b,<0.7.0b,<1.0.0" + }, + { + "advisory": "Mindspore 1.0.0, 0.7.0b, 0.6.0b, and 0.5.0b includes a fix for CVE-2020-11656: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", + "cve": "CVE-2020-11656", + "id": "pyup.io-41006", + "specs": [ + "<0.6.0b", + "<0.7.0b", + "<1.0.0", + "<0.5.0b" + ], + "v": "<0.6.0b,<0.7.0b,<1.0.0,<0.5.0b" + } + ], "mini-amf": [ { "advisory": "mini-amf before 0.8 is vulnerable to XML entity attacks.", - "cve": null, + "cve": "PVE-2021-33048", "id": "pyup.io-33048", "specs": [ "<0.8" @@ -9998,7 +12897,7 @@ "miniwdl": [ { "advisory": "Miniwdl 0.6.0 manipulates ownership/permissions to improve security and user experience:\r\n* as run completes, chown everything in run directory to invoking user and primary group\r\n* run task commands with membership in invoking user's primary group, ensuring access to working directory even if they've dropped privileges (a good docker security practice)\r\n* `--as-me` to force all task commands to run as invoking user (more secure, but blocks commands that assume root e.g. apt-get)\r\n* Revert to always running command in bash (as required by WDL spec) rather than container $SHELL", - "cve": null, + "cve": "PVE-2021-37814", "id": "pyup.io-37814", "specs": [ "<0.6.0" @@ -10009,7 +12908,7 @@ "misago": [ { "advisory": "misago 0.19.4 updates requests to 2.20.0 resolving potential vulnerability in HTTP connections handling.", - "cve": null, + "cve": "PVE-2021-36607", "id": "pyup.io-36607", "specs": [ "<0.19.4" @@ -10020,7 +12919,7 @@ "mishmash": [ { "advisory": "mishmash 0.3b12 - Pyaml >= 4.2b1 for security alert.", - "cve": null, + "cve": "PVE-2021-36795", "id": "pyup.io-36795", "specs": [ "<0.3b12" @@ -10064,7 +12963,7 @@ "mistune": [ { "advisory": "mistune before 0.7.2 is vulnerable to an XSS attack. It is possible to bypass the renderer's link security check.", - "cve": null, + "cve": "PVE-2021-25890", "id": "pyup.io-25890", "specs": [ "<0.7.2" @@ -10082,7 +12981,7 @@ }, { "advisory": "Mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such as in java\\nscript:) or a crafted email address, related to the escape and autolink functions.", - "cve": null, + "cve": "PVE-2021-35030", "id": "pyup.io-35030", "specs": [ "==0.7.4" @@ -10090,10 +12989,21 @@ "v": "==0.7.4" } ], + "mitiq": [ + { + "advisory": "Mitiq 0.4.0 updates notebook version in requirements to resolve a vulnerability. No details were provided.", + "cve": "PVE-2021-39241", + "id": "pyup.io-39241", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + } + ], "mitmproxy": [ { "advisory": "mitmproxy before 0.17 has a XSS vulnerability in HTTP errors.", - "cve": null, + "cve": "PVE-2021-25891", "id": "pyup.io-25891", "specs": [ "<0.17" @@ -10120,7 +13030,7 @@ }, { "advisory": "Mitmproxy 5.0 fixes command injection vulnerabilities when exporting flows as curl/httpie commands. It also does not echo unsanitized user input in HTTP error responses.", - "cve": null, + "cve": "PVE-2021-38179", "id": "pyup.io-38179", "specs": [ "<5.0" @@ -10131,7 +13041,7 @@ "mitogen": [ { "advisory": "Before mitogen version 0.2.8, unidirectional routing, where contexts may optionally only communicate with parents and never siblings (so that air-gapped networks cannot be unintentionally bridged) was not inherited when a child was initiated directly from another child. This did not effect Ansible, since the controller initiates any new child used for routing, only forked tasks are initiated by children [gh:commit:`5924af15`].", - "cve": null, + "cve": "PVE-2021-37381", "id": "pyup.io-37381", "specs": [ "<0.2.8" @@ -10142,7 +13052,7 @@ "mixminion": [ { "advisory": "mixminion before 0.0.2 is vulnerable to certain trivial DoS attacks. In particular, it's possible to send zlib bombs or flood a server with open connections.", - "cve": null, + "cve": "PVE-2021-25892", "id": "pyup.io-25892", "specs": [ "<0.0.2" @@ -10153,18 +13063,27 @@ "mkdocs-material": [ { "advisory": "mkdocs-material before 1.0.0 uses _blank targets on links which make it vulnerable to Cross Site Scripting attacks.", - "cve": null, + "cve": "PVE-2021-32121", "id": "pyup.io-32121", "specs": [ "<1.0.0" ], "v": "<1.0.0" + }, + { + "advisory": "Mkdocs-material 7.0.6 improves the security of the Docker image.", + "cve": "PVE-2021-39706", + "id": "pyup.io-39706", + "specs": [ + "<7.0.6" + ], + "v": "<7.0.6" } ], "mkdocs-table-reader-plugin": [ { "advisory": "Mkdocs-table-reader-plugin 0.2 drops the use of eval() in favor of ast.literal_eval() for security reasons.", - "cve": null, + "cve": "PVE-2021-38272", "id": "pyup.io-38272", "specs": [ "<0.2" @@ -10183,10 +13102,32 @@ "v": "<0.2.2" } ], + "mlf-core": [ + { + "advisory": "Mlf-core 1.10.0 includes a fix for insecure MD5 (from Bandit report).", + "cve": "PVE-2021-39705", + "id": "pyup.io-39705", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + } + ], + "mockintosh": [ + { + "advisory": "Mockintosh 0.4 adds the ability to refer to external files (containing request and response bodies) and makes it secure by disallowing files outside the mock config hierarchy.", + "cve": "PVE-2021-39463", + "id": "pyup.io-39463", + "specs": [ + "<0.4" + ], + "v": "<0.4" + } + ], "mockup": [ { "advisory": "mockup before 2.1.3 has XSS vulnerability issues in structure and relateditem patterns.", - "cve": null, + "cve": "PVE-2021-25893", "id": "pyup.io-25893", "specs": [ "<2.1.3" @@ -10204,6 +13145,15 @@ ], "v": "<1.6.1" }, + { + "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-7146.", + "cve": "CVE-2016-7146", + "id": "pyup.io-39588", + "specs": [ + "<1.9.10" + ], + "v": "<1.9.10" + }, { "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.", "cve": "CVE-2017-5934", @@ -10214,8 +13164,17 @@ "v": "<1.9.10" }, { - "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code, as well as CVE-2016-7146 and CVE-2016-9119.", - "cve": "CVE-2017-5934, CVE-2016-7146, CVE-2016-9119", + "advisory": "Moin 1.9.10 includes a security fix for CVE-2016-9119.", + "cve": "CVE-2016-9119", + "id": "pyup.io-39587", + "specs": [ + "<1.9.10" + ], + "v": "<1.9.10" + }, + { + "advisory": "Moin 1.9.10 includes a security fix for CVE-2017-5934, XSS in GUI editor related code.", + "cve": "PVE-2021-36478", "id": "pyup.io-36478", "specs": [ "<1.9.10" @@ -10224,7 +13183,7 @@ }, { "advisory": "Moin 2.2.2 removes two cross-site scripting vulnerabilities reported by \"office\".", - "cve": null, + "cve": "PVE-2021-36475", "id": "pyup.io-36475", "specs": [ "<2.2.2" @@ -10235,7 +13194,7 @@ "mollie-api-python": [ { "advisory": "mollie-api-python 2.0.4 updates requests to 2.20.0 because of a moderate severity vulnerability in versions prior to 2.20.0", - "cve": null, + "cve": "PVE-2021-36650", "id": "pyup.io-36650", "specs": [ "<2.0.4" @@ -10246,7 +13205,7 @@ "monoshape": [ { "advisory": "Monoshape 1.2 updates Pillow version for security.", - "cve": null, + "cve": "PVE-2021-37605", "id": "pyup.io-37605", "specs": [ "<1.2" @@ -10257,7 +13216,7 @@ "mopidy-jellyfin": [ { "advisory": "Mopidy-jellyfin 0.3.1 addresses a security vulnerability in one of its dependencies.", - "cve": null, + "cve": "PVE-2021-37281", "id": "pyup.io-37281", "specs": [ "<0.3.1" @@ -10268,7 +13227,7 @@ "morepath": [ { "advisory": "morepath before 0.14 has no host header validation to protect against header poisoning attacks.", - "cve": null, + "cve": "PVE-2021-25895", "id": "pyup.io-25895", "specs": [ "<0.14" @@ -10279,7 +13238,7 @@ "mortimer": [ { "advisory": "Mortimer 0.4.5 further increases the data protection and data security through an improved handling of access to the alfred database from inside experiments.", - "cve": null, + "cve": "PVE-2021-38277", "id": "pyup.io-38277", "specs": [ "<0.4.5" @@ -10290,7 +13249,7 @@ "mosql": [ { "advisory": "mosql 0.10 includes several security related changes.", - "cve": null, + "cve": "PVE-2021-25896", "id": "pyup.io-25896", "specs": [ "<0.10" @@ -10298,10 +13257,39 @@ "v": "<0.10" } ], + "mpxj": [ + { + "advisory": "Mpxj 5.0.0 fixes a XXE security vulnerability. See also .", + "cve": "PVE-2021-39675", + "id": "pyup.io-39675", + "specs": [ + "<5.0.0" + ], + "v": "<5.0.0" + }, + { + "advisory": "Mpxj 8.1.4 addresses the CVE-2020-25020 XXE vulnerability.", + "cve": "CVE-2020-25020", + "id": "pyup.io-39674", + "specs": [ + "<8.1.4" + ], + "v": "<8.1.4" + }, + { + "advisory": "Mpxj 8.3.5 addresses the CVE-2020-35460 zip slip vulnerability.", + "cve": "PVE-2021-39673", + "id": "pyup.io-39673", + "specs": [ + "<8.3.5" + ], + "v": "<8.3.5" + } + ], "mpymodcore": [ { "advisory": "Mpymodcore 0.0.12 hardens the WindUp security (user module), and secures router with a redirect/bad request response.", - "cve": null, + "cve": "PVE-2021-38431", "id": "pyup.io-38431", "specs": [ "<0.0.12" @@ -10310,7 +13298,7 @@ }, { "advisory": "Mpymodcore 0.0.9 includes hardening of WindUp security and it also secures router with a redirect/bad request response.", - "cve": null, + "cve": "PVE-2021-38218", "id": "pyup.io-38218", "specs": [ "<0.0.9" @@ -10319,7 +13307,7 @@ }, { "advisory": "The changelog of mpymodcore 0.0.14 mentions some backlogged tasks, among which: \"WindUp security hardening, user module, secure router with redirect/bad request response\"", - "cve": null, + "cve": "PVE-2021-38795", "id": "pyup.io-38795", "specs": [ "<=0.0.14" @@ -10328,7 +13316,7 @@ }, { "advisory": "Mpymodcore version 0.0.15 and below (and possibly later version, too) are in need of WindUp security hardening. This is listed in the backlog.", - "cve": null, + "cve": "PVE-2021-38872", "id": "pyup.io-38872", "specs": [ "<=0.0.15" @@ -10337,7 +13325,7 @@ }, { "advisory": "Mpymodcore 0.0.17 mentions in its changelog that WindUp security hardening is a backlogged task.", - "cve": null, + "cve": "PVE-2021-38980", "id": "pyup.io-38980", "specs": [ "<=0.0.17" @@ -10346,18 +13334,38 @@ }, { "advisory": "Mpymodcore 0.0.18 includes a note in its list of backlogged tasks to harden the security of WindUp, securing the router with a redirect/bad request response.", - "cve": null, + "cve": "PVE-2021-39161", "id": "pyup.io-39161", "specs": [ "<=0.0.18" ], "v": "<=0.0.18" + }, + { + "advisory": "Mpymodcore 0.0.19 was released with the acknowledgement that WindUp requires security hardening.", + "cve": "PVE-2021-39273", + "id": "pyup.io-39273", + "specs": [ + "<=0.0.19" + ], + "v": "<=0.0.19" + } + ], + "mqtt-io": [ + { + "advisory": "Mqtt-io 0.5.2 updates PyYAML to a version that doesn't suffer from CVE-2020-1747 vulnerability.", + "cve": "CVE-2020-1747", + "id": "pyup.io-40018", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" } ], "mr.migrator": [ { "advisory": "mr.migrator 1.2 fixes a form problem with security hotfix.", - "cve": null, + "cve": "PVE-2021-25897", "id": "pyup.io-25897", "specs": [ "<1.2" @@ -10368,7 +13376,7 @@ "msgpack": [ { "advisory": "msgpack 0.6.0 contains some backward incompatible changes for security reason (DoS).", - "cve": null, + "cve": "PVE-2021-36700", "id": "pyup.io-36700", "specs": [ "<0.6.0" @@ -10379,7 +13387,7 @@ "mss": [ { "advisory": "mss before 2.0.18 has a undisclosed security issue.", - "cve": null, + "cve": "PVE-2021-25898", "id": "pyup.io-25898", "specs": [ "<2.0.18" @@ -10387,21 +13395,32 @@ "v": "<2.0.18" } ], - "mtga": [ + "msticpy": [ { - "advisory": "mtga 2.0.0beta includes API security improvements & fixes.", - "cve": null, - "id": "pyup.io-36317", + "advisory": "Msticpy 1.1.0 updates requirements files for the 'lxml' and 'aiohttp' dependencies for security reasons.", + "cve": "PVE-2021-40859", + "id": "pyup.io-40859", "specs": [ - "<2.0.0beta" + "<1.1.0" ], - "v": "<2.0.0beta" + "v": "<1.1.0" + } + ], + "mtga": [ + { + "advisory": "mtga 2.0.0beta includes API security improvements & fixes.", + "cve": "PVE-2021-36317", + "id": "pyup.io-36317", + "specs": [ + "<2.0.0beta" + ], + "v": "<2.0.0beta" } ], "mtprotoproxy": [ { "advisory": "mtprotoproxy before 1.0.0 has the potential to allow for passive detection given known string lengths.\r\nV1.0.0 now adds random paddings to prevent this.", - "cve": null, + "cve": "PVE-2021-36301", "id": "pyup.io-36301", "specs": [ "<1.0.0" @@ -10410,7 +13429,7 @@ }, { "advisory": "Mtprotoproxy 1.0.6 adds more protections from replay attacks.", - "cve": null, + "cve": "PVE-2021-37407", "id": "pyup.io-37407", "specs": [ "<1.0.6" @@ -10421,12 +13440,21 @@ "muffnn": [ { "advisory": "Muffnn 2.3.1 increases the minimum version of tensorflow to v1.15.2 to fix a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38154", "id": "pyup.io-38154", "specs": [ "<2.3.1" ], "v": "<2.3.1" + }, + { + "advisory": "Muffnn 2.3.2 increases the minimum version of 'tensorflow' to version 1.15.4 to fix the security vulnerability reported in .", + "cve": "PVE-2021-39222", + "id": "pyup.io-39222", + "specs": [ + "<2.3.2" + ], + "v": "<2.3.2" } ], "murano-dashboard": [ @@ -10444,7 +13472,7 @@ "music21": [ { "advisory": "Music21 6.1.0 is no longer packaged with external modules; these will be installed when installing music21 via pip (otherwise run `pip install -r requirements.txt`). Speed and security improvements come with this.", - "cve": null, + "cve": "PVE-2021-38746", "id": "pyup.io-38746", "specs": [ "<6.1.0" @@ -10455,7 +13483,7 @@ "mxnet": [ { "advisory": "In mxnet before 1.0.0, mxnet listens on all available interfaces when running training in distributed mode.", - "cve": null, + "cve": "PVE-2021-35115", "id": "pyup.io-35115", "specs": [ "<1.0.0" @@ -10494,10 +13522,32 @@ "v": "<=8.0.13" } ], + "naas": [ + { + "advisory": "Naas 1.5.22 includes a security issue fix.", + "cve": "PVE-2021-40076", + "id": "pyup.io-40076", + "specs": [ + "<1.5.22" + ], + "v": "<1.5.22" + } + ], + "naas-drivers": [ + { + "advisory": "Naas-drivers 0.66.7 adds sensitive for randint. This is a security measure.", + "cve": "PVE-2021-40871", + "id": "pyup.io-40871", + "specs": [ + "<0.66.7" + ], + "v": "<0.66.7" + } + ], "nanopb": [ { "advisory": "Nanopb 0.2.8 fixes a security issue with PB_ENABLE_MALLOC.", - "cve": null, + "cve": "PVE-2021-37705", "id": "pyup.io-37705", "specs": [ "<0.2.8" @@ -10506,7 +13556,7 @@ }, { "advisory": "Nanopb 0.2.9.1 fixes a security issue due to size_t overflows.", - "cve": null, + "cve": "PVE-2021-37808", "id": "pyup.io-37808", "specs": [ "<0.2.9.1" @@ -10515,7 +13565,7 @@ }, { "advisory": "Nanopb before 0.3.1 fixes a security issue due to size_t overflows.", - "cve": null, + "cve": "PVE-2021-37704", "id": "pyup.io-37704", "specs": [ "<0.3.1" @@ -10524,7 +13574,7 @@ }, { "advisory": "Nanopb 0.2.9.1 and 0.3.1 fix a security issue due to size_t overflows (issue 132).", - "cve": null, + "cve": "PVE-2021-37706", "id": "pyup.io-37706", "specs": [ ">=0.3.0,<0.3.1", @@ -10547,7 +13597,7 @@ "nba-scraper": [ { "advisory": "Nba-scraper 0.2.7 removes a security flaw where it wasn't verifying SSL certificates during testing.", - "cve": null, + "cve": "PVE-2021-37142", "id": "pyup.io-37142", "specs": [ "<0.2.7" @@ -10555,10 +13605,43 @@ "v": "<0.2.7" } ], + "nbgrader": [ + { + "advisory": "Nbgrader 0.6.0 includes instructions for how to do grading inside a Docker container, for increased protection against malicious code submitted by students.", + "cve": "PVE-2021-40419", + "id": "pyup.io-40419", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" + } + ], + "nbsafety": [ + { + "advisory": "Nbsafety 0.0.69 includes minor security fixes in underlying NPM packages.", + "cve": "PVE-2021-40540", + "id": "pyup.io-40540", + "specs": [ + "<0.0.69" + ], + "v": "<0.0.69" + } + ], + "ncbimeta": [ + { + "advisory": "Ncbimeta 0.8.0 updates the 'lxml' dependency due to a security vulnerability.", + "cve": "PVE-2021-40508", + "id": "pyup.io-40508", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + } + ], "nearbeach": [ { "advisory": "Nearbeach 0.22.1 fixes several security issues in relation to Bandit, identified by Nearbeach as BUG491, BUG492, BUG493, BUG494, BUG495, BUG496, BUG497, and BUG498.", - "cve": null, + "cve": "PVE-2021-37602", "id": "pyup.io-37602", "specs": [ "<0.22.1" @@ -10566,10 +13649,48 @@ "v": "<0.22.1" } ], + "nemo": [ + { + "advisory": "Nemo 2.3.3 updates the 'django' dependency to mitigate a security vulnerability.", + "cve": "PVE-2021-40131", + "id": "pyup.io-40131", + "specs": [ + "<2.3.3" + ], + "v": "<2.3.3" + }, + { + "advisory": "Nemo 3.6.0 updates the 'cryptography' dependency due to vulnerability in the previous version.", + "cve": "PVE-2021-40130", + "id": "pyup.io-40130", + "specs": [ + "<3.6.0" + ], + "v": "<3.6.0" + }, + { + "advisory": "Nemo 3.8.0 updates the 'cryptography' dependency due to vulnerability in the previous version.", + "cve": "PVE-2021-40129", + "id": "pyup.io-40129", + "specs": [ + "<3.8.0" + ], + "v": "<3.8.0" + }, + { + "advisory": "Nemo 3.9.2 updates the 'django' to 2.2.20 for security reasons.", + "cve": "PVE-2021-40184", + "id": "pyup.io-40184", + "specs": [ + "<3.9.2" + ], + "v": "<3.9.2" + } + ], "neo-python": [ { "advisory": "neo-python 0.7.8 fixes vulnerability to RPC invoke functionality that can send node into unclosed loop during 'test' invokes.", - "cve": null, + "cve": "PVE-2021-36441", "id": "pyup.io-36441", "specs": [ "<0.7.8" @@ -10577,10 +13698,21 @@ "v": "<0.7.8" } ], + "nepse-api": [ + { + "advisory": "Nepse-api 0.3 discontinues the use of a non-maintainable 'converter.py' in 'nepse/security', the response data is now directly kept in a dataclass using 'DataClassXyz(**data)'.", + "cve": "PVE-2021-40589", + "id": "pyup.io-40589", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], "netdumplings": [ { "advisory": "Netdumplings 0.4.0 updates the websockets dependency to v7 to fix security warnings.", - "cve": null, + "cve": "PVE-2021-37208", "id": "pyup.io-37208", "specs": [ "<0.4.0" @@ -10591,7 +13723,7 @@ "netfoundry": [ { "advisory": "Netfoundry 4.19.0 fixes a rake vulnerability in the `.gemspec` file.", - "cve": null, + "cve": "PVE-2021-39082", "id": "pyup.io-39082", "specs": [ "<4.19.0" @@ -10613,7 +13745,7 @@ "netviel": [ { "advisory": "Netviel 0.2 fixes security vulnerabilities. No details were provided.", - "cve": null, + "cve": "PVE-2021-38366", "id": "pyup.io-38366", "specs": [ "<0.2" @@ -10632,12 +13764,23 @@ ">=13.0,<13.0.3" ], "v": ">=11.0,<11.0.7,>=12.0,<12.0.6,>=13.0,<13.0.3" + }, + { + "advisory": "A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected.", + "cve": "CVE-2021-20267", + "id": "pyup.io-40569", + "specs": [ + ">=15.3.0a1,<15.3.3", + ">=16.3.0a1,<16.3.1", + ">=17.1.0a1,<17.1.1" + ], + "v": ">=15.3.0a1,<15.3.3,>=16.3.0a1,<16.3.1,>=17.1.0a1,<17.1.1" } ], "newrelic": [ { "advisory": "New Relic agents run explain plans for Slow Transaction Traces and Slow SQL Queries. Previous versions of the agents would run an explain plan on the SQL query by prepending the query with explain. This may cause an issue when there are multiple statements separated by semicolons in a single query. The first statement in the string returns its explain plan, but any subsequent statement after that may execute as a general SQL statement. Depending on the language, library, and database, the agent may return the results of the additional statements to New Relic. It is also possible that the additional statements could execute an additional INSERT or UPDATE command. With this security update, New Relic agents will no longer run explain plans on any query that contains a semicolon as a statement separator.", - "cve": null, + "cve": "PVE-2021-35805", "id": "pyup.io-35805", "specs": [ ">=1.1.0.192,<=2.106.0.87" @@ -10648,7 +13791,7 @@ "newsletter": [ { "advisory": "newsletter 0.1.17pre in newsletterapp is now more secure by default. Does not setup default users for admin section.", - "cve": null, + "cve": "PVE-2021-25902", "id": "pyup.io-25902", "specs": [ "<0.1.17pre" @@ -10659,7 +13802,7 @@ "nfw": [ { "advisory": "nfw before 0.0.7 is vulnerable to SQL-injection attacks.", - "cve": null, + "cve": "PVE-2021-32994", "id": "pyup.io-32994", "specs": [ "<0.0.7" @@ -10670,7 +13813,7 @@ "ngraph-mxnet": [ { "advisory": "ngraph-mxnet 1.0.0 fixed a security bug that is causing MXNet to listen on all available interfaces when running training in distributed mode.", - "cve": null, + "cve": "PVE-2021-36701", "id": "pyup.io-36701", "specs": [ "<1.0.0" @@ -10681,7 +13824,7 @@ "nifcloud": [ { "advisory": "Nifcloud 0.1.7 updates dependencies to fix a vulnerability.", - "cve": null, + "cve": "PVE-2021-37098", "id": "pyup.io-37098", "specs": [ "<0.1.7" @@ -10689,10 +13832,101 @@ "v": "<0.1.7" } ], + "nkocr": [ + { + "advisory": "Nkocr 2.0.0 includes a dependency security update.", + "cve": "PVE-2021-40152", + "id": "pyup.io-40152", + "specs": [ + "<2.0.0" + ], + "v": "<2.0.0" + }, + { + "advisory": "Nkocr 2.0.1 updates dependencies for security reasons.", + "cve": "PVE-2021-40151", + "id": "pyup.io-40151", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + } + ], + "nni": [ + { + "advisory": "Nni 2.1 fixes an arbitrary code execution security issue.", + "cve": "PVE-2021-40661", + "id": "pyup.io-40661", + "specs": [ + "<2.1" + ], + "v": "<2.1" + } + ], + "nobinobi-child": [ + { + "advisory": "Nobinobi-child 0.1.3.6 updates requirements for a security fix.", + "cve": "PVE-2021-40196", + "id": "pyup.io-40196", + "specs": [ + "<0.1.3.6" + ], + "v": "<0.1.3.6" + }, + { + "advisory": "Nobinobi-child 0.1.3.7 updates dependency requirements for a security fix.", + "cve": "PVE-2021-40626", + "id": "pyup.io-40626", + "specs": [ + "<0.1.3.7" + ], + "v": "<0.1.3.7" + } + ], + "nobinobi-core": [ + { + "advisory": "Nobinobi-core 0.1.4.1 updates underlying 'django' dependency for a security fix.", + "cve": "PVE-2021-40627", + "id": "pyup.io-40627", + "specs": [ + "<0.1.4.1" + ], + "v": "<0.1.4.1" + } + ], + "nobinobi-daily-follow-up": [ + { + "advisory": "Nobinobi-daily-follow-up 0.1.1.11 updates its requirements for security reasons.", + "cve": "PVE-2021-40567", + "id": "pyup.io-40567", + "specs": [ + "<0.1.1.11" + ], + "v": "<0.1.1.11" + }, + { + "advisory": "Nobinobi-daily-follow-up 0.1.1.12 updates underlying dependencies for security reason.", + "cve": "PVE-2021-40810", + "id": "pyup.io-40810", + "specs": [ + "<0.1.1.12" + ], + "v": "<0.1.1.12" + }, + { + "advisory": "Nobinobi-daily-follow-up 0.1.1.9 updates requirements for security reasons.", + "cve": "PVE-2021-40202", + "id": "pyup.io-40202", + "specs": [ + "<0.1.1.9" + ], + "v": "<0.1.1.9" + } + ], "noiseprotocol": [ { "advisory": "noiseprotocol before 0.2.1 used an insecure transitive dependency (Cryptography<=2.1.3).", - "cve": null, + "cve": "PVE-2021-35043", "id": "pyup.io-35043", "specs": [ "<0.2.1" @@ -10703,7 +13937,7 @@ "normcap": [ { "advisory": "Normcap 0.1.1 updates PyInstaller to avoid potential vulnerability.", - "cve": null, + "cve": "PVE-2021-37722", "id": "pyup.io-37722", "specs": [ "<0.1.1" @@ -10712,7 +13946,7 @@ }, { "advisory": "Normcap 0.1.2 updates the Bleach Package to avoid a potential vulnerability.", - "cve": null, + "cve": "PVE-2021-38132", "id": "pyup.io-38132", "specs": [ "<0.1.2" @@ -10723,7 +13957,7 @@ "notable": [ { "advisory": "notable 0.0.6 fixes a security regression in the new BoltDB backend.", - "cve": null, + "cve": "PVE-2021-34447", "id": "pyup.io-34447", "specs": [ "<0.0.6" @@ -10741,6 +13975,87 @@ ], "v": "<4.0.5" }, + { + "advisory": "Notebook 4.0.5 includes security fixes for maliciously crafted files (CVE-2015-6938).", + "cve": "CVE-2015-6938", + "id": "pyup.io-40389", + "specs": [ + "<4.0.5" + ], + "v": "<4.0.5" + }, + { + "advisory": "Notebook 4.0.5 includes security fixes for maliciously crafted files (CVE-2015-7337).", + "cve": "CVE-2015-7337", + "id": "pyup.io-40398", + "specs": [ + "<4.0.5" + ], + "v": "<4.0.5" + }, + { + "advisory": "Notebook 5.4.1 adds a security release fix (CVE-2018-8768).", + "cve": "CVE-2018-8768", + "id": "pyup.io-40386", + "specs": [ + "<5.4.1" + ], + "v": "<5.4.1" + }, + { + "advisory": "Kiwi TCMS 6.4 updates Patternfly to version 3.59.0, which deals with an XSS issue in bootstrap (CVE-2018-14041). By default session cookies will expire after 24 hours. This can now be controlled via the ``SESSION_COOKIE_AGE`` setting. See https://github.com/kiwitcms/Kiwi/issues/556.", + "cve": "CVE-2018-14041", + "id": "pyup.io-40385", + "specs": [ + "<5.7.3" + ], + "v": "<5.7.3" + }, + { + "advisory": "Notebook 5.7.6 includes a fix for vulnerability (CVE-2019-9644).", + "cve": "CVE-2019-9644", + "id": "pyup.io-40384", + "specs": [ + "<5.7.6" + ], + "v": "<5.7.6" + }, + { + "advisory": "Notebook 5.7.8 fixes the 'Open Redirect' vulnerability (CVE-2019-10255).", + "cve": "CVE-2019-10255", + "id": "pyup.io-40383", + "specs": [ + "<5.7.8" + ], + "v": "<5.7.8" + }, + { + "advisory": "Notebook 6.0 improves SSL/TLS security by using PROTOCOL_TLS which selects the highest SSL/TLS protocol version available that both the client and server support. When PROTOCOL_TLS is not available use PROTOCOL_SSLv23.", + "cve": "PVE-2021-40382", + "id": "pyup.io-40382", + "specs": [ + "<6.0" + ], + "v": "<6.0" + }, + { + "advisory": "Notebook 6.0.2 includes a fix for CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", + "cve": "CVE-2019-11358", + "id": "pyup.io-40381", + "specs": [ + "<6.0.2" + ], + "v": "<6.0.2" + }, + { + "advisory": "Notebook 6.1.5 fixes open redirect vulnerability 'GHSA-c7vm-f5p4-8fqh'. See: CVE-2020-26215.", + "cve": "CVE-2020-26215", + "id": "pyup.io-40380", + "specs": [ + "<6.1.5" + ], + "v": "<6.1.5" + }, { "advisory": "Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.", "cve": "CVE-2015-6938", @@ -10749,12 +14064,21 @@ ">=4.0,<4.0.5" ], "v": ">=4.0,<4.0.5" + }, + { + "advisory": "Notebook 4.2.2 includes an important security fix (CVE-2016-6524).", + "cve": "CVE-2016-6524", + "id": "pyup.io-40388", + "specs": [ + ">=4.0.0a1,<4.2.2" + ], + "v": ">=4.0.0a1,<4.2.2" } ], "notifications-python-client": [ { "advisory": "notifications-python-client before 4.7.1 is vulnerable to a not further described security issue in PyJWT.", - "cve": null, + "cve": "PVE-2021-35116", "id": "pyup.io-35116", "specs": [ "<4.7.1" @@ -10822,10 +14146,21 @@ "v": ">0" } ], + "nox-poetry": [ + { + "advisory": "Nox-poetry 0.8.2 updates vulnerable sub-dependencies.", + "cve": "PVE-2021-39702", + "id": "pyup.io-39702", + "specs": [ + "<0.8.2" + ], + "v": "<0.8.2" + } + ], "nrel-rex": [ { "advisory": "Nrel-rex 0.2.16 adds a simple eval equation checker for malicious statements.", - "cve": null, + "cve": "PVE-2021-38909", "id": "pyup.io-38909", "specs": [ "<0.2.16" @@ -10836,7 +14171,7 @@ "nsupdate": [ { "advisory": "nsupdate before 0.3.0 is vulnerable to a undisclosed security issue.", - "cve": null, + "cve": "PVE-2021-25906", "id": "pyup.io-25906", "specs": [ "<0.3.0" @@ -10845,7 +14180,7 @@ }, { "advisory": "nsupdate 0.8.0 fixes a security issue: abuse_blocked flag could be worked around by abuser.", - "cve": null, + "cve": "PVE-2021-25907", "id": "pyup.io-25907", "specs": [ "<0.8.0" @@ -10854,7 +14189,7 @@ }, { "advisory": "nsupdate 0.9.1 fixes a security issue with \"related hosts\" / \"service updaters\".", - "cve": null, + "cve": "PVE-2021-25908", "id": "pyup.io-25908", "specs": [ "<0.9.1" @@ -10862,10 +14197,21 @@ "v": "<0.9.1" } ], + "nuitka": [ + { + "advisory": "Nuitka 0.6.12 uses https URLs for downloading dependency walker, for it to be more secure.", + "cve": "PVE-2021-39648", + "id": "pyup.io-39648", + "specs": [ + "<0.6.12" + ], + "v": "<0.6.12" + } + ], "nukikata": [ { "advisory": "Nukikata 1.4.0 raises an error if Cookiecutter tries to render a template that contains an undefined variable. Makes generation more robust and secure.", - "cve": null, + "cve": "PVE-2021-38418", "id": "pyup.io-38418", "specs": [ "<1.4.0" @@ -10876,7 +14222,7 @@ "numba": [ { "advisory": "Numba 0.49.0 includes an attempt at fixing frame injection in the dispatcher tracing path.", - "cve": null, + "cve": "PVE-2021-38983", "id": "pyup.io-38983", "specs": [ "<0.49.0" @@ -10898,7 +14244,7 @@ "nvidia-tensorflow": [ { "advisory": "Nvidia-tensorflow 1.10.0 builds & links in secure gRPC components (switch from the insecure grpc dependency to secure grpc dependency)", - "cve": null, + "cve": "PVE-2021-38457", "id": "pyup.io-38457", "specs": [ "<1.10.0" @@ -10907,7 +14253,7 @@ }, { "advisory": "Nvidia-tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", - "cve": null, + "cve": "PVE-2021-38456", "id": "pyup.io-38456", "specs": [ "<1.12.2" @@ -10915,82 +14261,208 @@ "v": "<1.12.2" }, { - "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, - "id": "pyup.io-38797", + "advisory": "Nvidia-tensorflow includes a fix for CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39711", "specs": [ "<1.15.3" ], "v": "<1.15.3" }, { - "advisory": "Nvidia-tensorflow 1.15.2\r\n* Fixes a security vulnerability where converting a Python string to a `tf.float16` value produces a segmentation fault (CVE-2020-5215)\r\n* Updates `curl` to `7.66.0` to handle CVE-2019-5482 and CVE-2019-5481\r\n* Updates `sqlite3` to `3.30.01` to handle CVE-2019-19646, CVE-2019-19645 and CVE-2019-16168", - "cve": "CVE-2020-5215, CVE-2019-5482, CVE-2019-5481, CVE-2019-19646, CVE-2019-19645, CVE-2019-16168", - "id": "pyup.io-38455", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-15601", + "id": "pyup.io-39713", "specs": [ - ">=1.0.0,<1.15.2" + "<1.15.3" ], - "v": ">=1.0.0,<1.15.2" - } - ], - "oauth-pyzure": [ + "v": "<1.15.3" + }, { - "advisory": "Oauth-pyzure 0.1.4 is based on OSS vulnerability reports.", - "cve": null, - "id": "pyup.io-39077", + "advisory": "Nvidia-tensorflow 1.15.3 includes a fix for CVE-2019-10099: Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.", + "cve": "CVE-2019-10099", + "id": "pyup.io-39715", "specs": [ - "<0.1.4" + "<1.15.3" ], - "v": "<0.1.4" - } - ], - "oauth2": [ + "v": "<1.15.3" + }, { - "advisory": "The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.", - "cve": "CVE-2013-4346", - "id": "pyup.io-35462", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-11770", + "id": "pyup.io-38797", "specs": [ - "<1.9" + "<1.15.3" ], - "v": "<1.9" + "v": "<1.15.3" }, { - "advisory": "The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.", - "cve": "CVE-2013-4347", - "id": "pyup.io-35463", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-19880", + "id": "pyup.io-39710", "specs": [ - "<1.9" + "<1.15.3" ], - "v": "<1.9" - } - ], - "oauthlib": [ + "v": "<1.15.3" + }, { - "advisory": "oauthlib before 0.7.0 is not stripping client provided passwords from OAuth2 logs.", - "cve": null, - "id": "pyup.io-25909", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-19244", + "id": "pyup.io-39712", "specs": [ - "<0.7.0" + "<1.15.3" ], - "v": "<0.7.0" - } - ], - "obasparql": [ + "v": "<1.15.3" + }, { - "advisory": "Obasparql 2.0.1 bumps werkzeug to >= 0.15.3 to address CVE-2019-14806.", - "cve": "CVE-2019-14806", - "id": "pyup.io-38322", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2019-13960", + "id": "pyup.io-39714", "specs": [ - "<2.0.1" + "<1.15.3" ], - "v": "<2.0.1" - } - ], - "obsplus": [ + "v": "<1.15.3" + }, { - "advisory": "Obsplus 0.0.6 switched from MD5 hashing to SHA256 as the latter is more secure and the computational differences were negligible.", - "cve": null, - "id": "pyup.io-38088", + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-20330", + "id": "pyup.io-39716", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-19664", + "id": "pyup.io-39717", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Nvidia-tensorflow 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-17190", + "id": "pyup.io-39718", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Nvidia-tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39585", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Nvidia-tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39586", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Nvidia-tensorflow 1.15.2 updates 'sqlite3' dependency to 3.30.01 to handle CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39583", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Nvidia-tensorflow 1.15.2 updates 'sqlite3' dependency to 3.30.01 to handle CVE-2019-19646: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", + "cve": "CVE-2019-19646", + "id": "pyup.io-39584", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Nvidia-tensorflow 1.15.2\r\n* Fixes a security vulnerability where converting a Python string to a `tf.float16` value produces a segmentation fault (CVE-2020-5215)", + "cve": "CVE-2020-5215", + "id": "pyup.io-38455", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Nvidia-tensorflow 1.15.2 updates 'sqlite3' dependency to 3.30.01 to handle CVE-2019-16168: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", + "cve": "CVE-2019-16168", + "id": "pyup.io-39582", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + } + ], + "oauth-pyzure": [ + { + "advisory": "Oauth-pyzure 0.1.4 is based on OSS vulnerability reports.", + "cve": "PVE-2021-39077", + "id": "pyup.io-39077", + "specs": [ + "<0.1.4" + ], + "v": "<0.1.4" + } + ], + "oauth2": [ + { + "advisory": "The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.", + "cve": "CVE-2013-4346", + "id": "pyup.io-35462", + "specs": [ + "<1.9" + ], + "v": "<1.9" + }, + { + "advisory": "The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.", + "cve": "CVE-2013-4347", + "id": "pyup.io-35463", + "specs": [ + "<1.9" + ], + "v": "<1.9" + } + ], + "oauthlib": [ + { + "advisory": "oauthlib before 0.7.0 is not stripping client provided passwords from OAuth2 logs.", + "cve": "PVE-2021-25909", + "id": "pyup.io-25909", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + } + ], + "obasparql": [ + { + "advisory": "Obasparql 2.0.1 bumps werkzeug to >= 0.15.3 to address CVE-2019-14806.", + "cve": "CVE-2019-14806", + "id": "pyup.io-38322", + "specs": [ + "<2.0.1" + ], + "v": "<2.0.1" + } + ], + "obsplus": [ + { + "advisory": "Obsplus 0.0.6 switched from MD5 hashing to SHA256 as the latter is more secure and the computational differences were negligible.", + "cve": "PVE-2021-38088", + "id": "pyup.io-38088", "specs": [ "<0.0.6" ], @@ -11033,12 +14505,66 @@ "<2.10.0" ], "v": "<2.10.0" + }, + { + "advisory": "Oci 2.24.1 pins cryptography to version 3.2.1 to address a vulnerability. See: .", + "cve": "PVE-2021-39212", + "id": "pyup.io-39212", + "specs": [ + "<2.24.1" + ], + "v": "<2.24.1" + }, + { + "advisory": "Oci 2.37.0 updates the 'cryptography' dependency version to 3.3.2 to address a security vulnerability.", + "cve": "PVE-2021-40377", + "id": "pyup.io-40377", + "specs": [ + "<2.37.0" + ], + "v": "<2.37.0" } ], "oci-cli": [ + { + "advisory": "Oci-cli 2.22.1 adds support for the 'Vulnerability Scanning' service (as 'oci vulnerability-scanning' command).", + "cve": "PVE-2021-40200", + "id": "pyup.io-40200", + "specs": [ + "<2.22.1" + ], + "v": "<2.22.1" + }, + { + "advisory": "Oci-cli 2.24.0 drops support for Python 3.5. Due to a possible security issue in the version of the dependent cryptography package, its version has been bumped to 3.3.2. This version does not support Python 3.5.", + "cve": "PVE-2021-40255", + "id": "pyup.io-40255", + "specs": [ + "<2.24.0" + ], + "v": "<2.24.0" + }, + { + "advisory": "Oci-cli 2.24.4 updates the 'PyYAML' dependency to version 5.4.1 to address CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.", + "cve": "CVE-2020-14343", + "id": "pyup.io-40829", + "specs": [ + "<2.24.4" + ], + "v": "<2.24.4" + }, + { + "advisory": "Oci-cli 2.24.4 upgrades the 'Py' dependency to version 1.10.0 to address a vulnerability (CVE-2020-29651).", + "cve": "CVE-2020-29651", + "id": "pyup.io-40831", + "specs": [ + "<2.24.4" + ], + "v": "<2.24.4" + }, { "advisory": "Versions of oci-cli prior to 2.4.10 are affected by a security vulnerability. Versions 2.4.11 and later will automatically detect vulnerable installations, and if issues are detected, a warning will be displayed to the user. These issues can be remediated automatically by running the ``oci setup repair-file-permissions`` command.", - "cve": null, + "cve": "PVE-2021-36148", "id": "pyup.io-36148", "specs": [ "<2.4.10" @@ -11098,7 +14624,7 @@ "oe-geoutils": [ { "advisory": "Oe-geoutils 1.5.2 solves security vulnerabilities from external packages 101.", - "cve": null, + "cve": "PVE-2021-37666", "id": "pyup.io-37666", "specs": [ "<1.5.2" @@ -11106,10 +14632,81 @@ "v": "<1.5.2" } ], + "oic": [ + { + "advisory": "In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. \r\n\r\nThe issues are: \r\n1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. \r\n2) JWA `none` algorithm was allowed in all flows. \r\n3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. \r\n4) iat claim was not checked for sanity (i.e. it could be in the future). \r\n\r\nSee CVE-2020-26244.", + "cve": "CVE-2020-26244", + "id": "pyup.io-39221", + "specs": [ + "<1.2.1" + ], + "v": "<1.2.1" + } + ], + "omero-web": [ + { + "advisory": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting. See CVE-2021-21377.", + "cve": "CVE-2021-21377", + "id": "pyup.io-40089", + "specs": [ + "<5.9.0" + ], + "v": "<5.9.0" + }, + { + "advisory": "OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0. See CVE-2021-21376.", + "cve": "CVE-2021-21376", + "id": "pyup.io-40088", + "specs": [ + "<5.9.0" + ], + "v": "<5.9.0" + }, + { + "advisory": "Omero-web 5.9.0 includes few security vulnerability fixes.", + "cve": "PVE-2021-40578", + "id": "pyup.io-40578", + "specs": [ + "<5.9.0" + ], + "v": "<5.9.0" + } + ], + "omnizart": [ + { + "advisory": "Omnizart 0.3.3 updates its dependencies to address a security issue.", + "cve": "PVE-2021-40422", + "id": "pyup.io-40422", + "specs": [ + "<0.3.3" + ], + "v": "<0.3.3" + } + ], + "onefuzz": [ + { + "advisory": "Onefuzz 2.5.0 updates multiple third-party Rust libraries. Addresses potential security issue [RUSTSEC-2021-0023].", + "cve": "PVE-2021-39624", + "id": "pyup.io-39624", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" + }, + { + "advisory": "Onefuzz 2.7.0 includes a fix for CVE-2020-28493: This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.", + "cve": "CVE-2020-28493", + "id": "pyup.io-39676", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" + } + ], "onegov.form": [ { "advisory": "onegov.form before 0.16.1 is not escaping HTML labels in the dynamic formbuilder.", - "cve": null, + "cve": "PVE-2021-25911", "id": "pyup.io-25911", "specs": [ "<0.16.1" @@ -11120,7 +14717,7 @@ "onelogin-aws-assume-role": [ { "advisory": "For security reasons, onelogin-aws-assume-role 1.3.0 removes the ability to provide the IP using a command line parameter and is instead able to provide the IP address at the onelogin.sdk.json file.", - "cve": null, + "cve": "PVE-2021-37158", "id": "pyup.io-37158", "specs": [ "<1.3.0" @@ -11131,7 +14728,7 @@ "onixcheck": [ { "advisory": "onixcheck 0.8.0 adds secured XML-Parsing via defusedxml.", - "cve": null, + "cve": "PVE-2021-25912", "id": "pyup.io-25912", "specs": [ "<0.8.0" @@ -11142,7 +14739,7 @@ "online-judge-tools": [ { "advisory": "Online-judge-tools 0.1.53 fixes a Regular Expression Injection issue and a Glob Injection issue.", - "cve": null, + "cve": "PVE-2021-38902", "id": "pyup.io-38902", "specs": [ "<0.1.53" @@ -11153,7 +14750,7 @@ "oodt": [ { "advisory": "oodt before 0.4 is vulnerable to XSS attacks via malformed query strings.", - "cve": null, + "cve": "PVE-2021-25913", "id": "pyup.io-25913", "specs": [ "<0.4" @@ -11164,7 +14761,7 @@ "ooniprobe": [ { "advisory": "ooniprobe before 1.0.2 is vulnerable to several undisclosed security issues.", - "cve": null, + "cve": "PVE-2021-25914", "id": "pyup.io-25914", "specs": [ "<1.0.2" @@ -11185,14 +14782,23 @@ ], "openapi-python-client": [ { - "advisory": "Openapi-python-client 0.5.3 sanitizes all values that become file/directory names to address path traversal vulnerabilities (CVE-2020-15141). Additionally, all values that get placed into python files (everything from enum names, to endpoint descriptions, to default values) are validated and/or sanitized to address arbitrary code execution vulnerabilities (CVE-2020-15142). Lastly, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", - "cve": "CVE-2020-15141,CVE-2020-15142", + "advisory": "Openapi-python-client 0.5.3 sanitizes all values that become file/directory names to address path traversal vulnerabilities (CVE-2020-15141). Additionally, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", + "cve": "CVE-2020-15141", "id": "pyup.io-38685", "specs": [ "<0.5.3" ], "v": "<0.5.3" }, + { + "advisory": "In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. See: CVE-2020-15142.", + "cve": "CVE-2020-15142", + "id": "pyup.io-38691", + "specs": [ + "<0.5.3" + ], + "v": "<0.5.3" + }, { "advisory": "In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. See: CVE-2020-15141.", "cve": "CVE-2020-15141", @@ -11203,9 +14809,9 @@ "v": "<0.5.3" }, { - "advisory": "In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. See: CVE-2020-15142.", + "advisory": "In openapi-python-client 0.5.3, all values that get placed into python files (everything from enum names, to endpoint descriptions, to default values) are validated and/or sanitized to address arbitrary code execution vulnerabilities (CVE-2020-15142). Also, due to security concerns/implementation complexities, default values are temporarily unsupported for any `RefProperty` that doesn't refer to an enum.", "cve": "CVE-2020-15142", - "id": "pyup.io-38691", + "id": "pyup.io-39581", "specs": [ "<0.5.3" ], @@ -11215,8 +14821,8 @@ "openapigenerator": [ { "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", - "cve": null, - "id": "pyup.io-37796", + "cve": "PVE-2021-37631", + "id": "pyup.io-37631", "specs": [ "<3.2.1" ], @@ -11224,8 +14830,8 @@ }, { "advisory": "Openapigenerator 3.2.1 updates vulnerable dependencies (Javascript, #784).", - "cve": null, - "id": "pyup.io-37631", + "cve": "PVE-2021-37796", + "id": "pyup.io-37796", "specs": [ "<3.2.1" ], @@ -11233,7 +14839,7 @@ }, { "advisory": "Openapigenerator 3.2.2 updates vulnerable dependencies (JavaScript, #784).", - "cve": null, + "cve": "PVE-2021-37622", "id": "pyup.io-37622", "specs": [ "<3.2.2" @@ -11242,7 +14848,7 @@ }, { "advisory": "Openapigenerator 3.3.2 fixes the Jackson databind security issue (Java, #1259).", - "cve": null, + "cve": "PVE-2021-37629", "id": "pyup.io-37629", "specs": [ "<3.3.2" @@ -11251,7 +14857,7 @@ }, { "advisory": "Openapigenerator 3.3.3 fixes jackson-databind (Java) security issue #1259.", - "cve": null, + "cve": "PVE-2021-37797", "id": "pyup.io-37797", "specs": [ "<3.3.3" @@ -11260,7 +14866,7 @@ }, { "advisory": "Openapigenerator 4.0.0 upgrades GRADLE to 2.14.1 to fix a vulnerability (Android, Java, Scala, #2416).", - "cve": null, + "cve": "PVE-2021-37627", "id": "pyup.io-37627", "specs": [ "<4.0.0" @@ -11269,7 +14875,7 @@ }, { "advisory": "Apenapigenerator v4.0.0-beta3 upgrades GRADLE to 2.14.1 to fix a vulnerability (Java, Scala, #2416).", - "cve": null, + "cve": "PVE-2021-37630", "id": "pyup.io-37630", "specs": [ "<4.0.0b3" @@ -11278,7 +14884,7 @@ }, { "advisory": "Openapigenerator 4.0.0beta2 fixes a security issue with dependencies (Java, #1820).", - "cve": null, + "cve": "PVE-2021-37628", "id": "pyup.io-37628", "specs": [ "<4.0.0beta2" @@ -11287,7 +14893,7 @@ }, { "advisory": "Openapigenerator 4.0.2 bumps up the babel-cli version to fix security alert (Javascript/NodeJS, #3121).", - "cve": null, + "cve": "PVE-2021-37626", "id": "pyup.io-37626", "specs": [ "<4.0.2" @@ -11296,7 +14902,7 @@ }, { "advisory": "Openapigenerator 4.0.3 update JS flow dependencies to fix security issues (JavaScript, #3296).", - "cve": null, + "cve": "PVE-2021-37625", "id": "pyup.io-37625", "specs": [ "<4.0.3" @@ -11305,7 +14911,7 @@ }, { "advisory": "Openapigenerator 4.1.0 updates to address recent lodash Object prototype vulnerability (general, #3348).", - "cve": null, + "cve": "PVE-2021-37624", "id": "pyup.io-37624", "specs": [ "<4.1.0" @@ -11314,7 +14920,7 @@ }, { "advisory": "Openapigenerator 4.1.3 fixes the jackson-databind security issue (general, #3945).", - "cve": null, + "cve": "PVE-2021-37623", "id": "pyup.io-37623", "specs": [ "<4.1.3" @@ -11323,7 +14929,7 @@ }, { "advisory": "Openapigenerator 4.2.1 fixes the Jackson databind security issue (Java, #4370).", - "cve": null, + "cve": "PVE-2021-37798", "id": "pyup.io-37798", "specs": [ "<4.2.1" @@ -11343,7 +14949,7 @@ "openslides": [ { "advisory": "openslides 2.1 now validates HTML strings from CKEditor against XSS attacks.", - "cve": null, + "cve": "PVE-2021-34681", "id": "pyup.io-34681", "specs": [ "<2.1" @@ -11363,9 +14969,9 @@ "v": "<15.0.1,==16.0.0" }, { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12689.", - "cve": "CVE-2020-12689", - "id": "pyup.io-38257", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12691.", + "cve": "CVE-2020-12691", + "id": "pyup.io-38259", "specs": [ "<15.0.1", "==16.0.0" @@ -11373,9 +14979,9 @@ "v": "<15.0.1,==16.0.0" }, { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12691.", - "cve": "CVE-2020-12691", - "id": "pyup.io-38259", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", + "cve": "CVE-2020-12690", + "id": "pyup.io-38258", "specs": [ "<15.0.1", "==16.0.0" @@ -11383,9 +14989,9 @@ "v": "<15.0.1,==16.0.0" }, { - "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. See: CVE-2020-12690.", - "cve": "CVE-2020-12690", - "id": "pyup.io-38258", + "advisory": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. See: CVE-2020-12689.", + "cve": "CVE-2020-12689", + "id": "pyup.io-38257", "specs": [ "<15.0.1", "==16.0.0" @@ -11412,7 +15018,7 @@ "v": "==2013" }, { - "advisory": "It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Reportedly, all versions are affected. See also: CVE-2012-1572 and .", + "advisory": "It is possible to remotely trigger a crash in Keystone by sending an extremely long password. When Keystone is validating the password, glibc allocates space on the stack for the entire password. If the password is long enough, stack space can be exhausted, resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonable limit on password length (4 kB). Reportedly, all versions are affected. See also: CVE-2012-1572 and https://security.openstack.org/ossa/OSSA-2012-002.html.", "cve": "CVE-2012-1572", "id": "pyup.io-37740", "specs": [ @@ -11424,7 +15030,7 @@ "opentaxii": [ { "advisory": "opentaxii 0.1.11 requires recent version of `lxml` for security reasons.", - "cve": null, + "cve": "PVE-2021-36897", "id": "pyup.io-36897", "specs": [ "<0.1.11" @@ -11432,10 +15038,30 @@ "v": "<0.1.11" } ], + "openvino": [ + { + "advisory": "Openvino 2020.3.1 includes security and functionality bug fixes, and minor capability changes.", + "cve": "PVE-2021-40082", + "id": "pyup.io-40082", + "specs": [ + "<2020.3.1" + ], + "v": "<2020.3.1" + }, + { + "advisory": "Openvino 2021.2 includes new OpenVINO Security Add-on, which controls access to model(s) through secure packaging and execution. Based on KVM Virtual machines and Docker containers and compatible with the OpenVINO Model Server, this new add-on enables packaging for flexible deployment and controlled model access.", + "cve": "PVE-2021-40081", + "id": "pyup.io-40081", + "specs": [ + "<2021.2" + ], + "v": "<2021.2" + } + ], "optimade": [ { "advisory": "Optimade 0.7.0 includes a fix that addresses a Django vulnerability. See: .", - "cve": null, + "cve": "PVE-2021-38453", "id": "pyup.io-38453", "specs": [ "<0.7.0" @@ -11446,7 +15072,7 @@ "orange3-bioinformatics": [ { "advisory": "Orange3-bioinformatics 4.2.0 adds the Orange.widgets.credentials.CredentialManager to securely store user password.", - "cve": null, + "cve": "PVE-2021-38958", "id": "pyup.io-38958", "specs": [ "<4.2.0" @@ -11457,7 +15083,7 @@ "ores": [ { "advisory": "Ores 1.3.1 addresses yaml security issue by bumping dependency version. It also uses JSON as celery serializer for increased security.", - "cve": null, + "cve": "PVE-2021-37949", "id": "pyup.io-37949", "specs": [ "<1.3.1" @@ -11465,10 +15091,21 @@ "v": "<1.3.1" } ], + "ormar": [ + { + "advisory": "Ormar 0.10.9 updates the 'pydantic' library to fix a security vulnerability (CVE-2021-29510).", + "cve": "CVE-2021-29510", + "id": "pyup.io-40577", + "specs": [ + "<0.10.9" + ], + "v": "<0.10.9" + } + ], "osc": [ { "advisory": "Osc 0.123 is the first release that performs SSL certificate checks to prevent man-in-the-middle-attacks. Python-m2crypto is needed to make this work. Certificate checks can be turned off per server via 'sslcertck = 0' in .oscrc.", - "cve": null, + "cve": "PVE-2021-37874", "id": "pyup.io-37874", "specs": [ "<0.123" @@ -11477,7 +15114,7 @@ }, { "advisory": "Osc 0.134 includes a security fix for the buildlog function. Terminal control characters are limited now.", - "cve": null, + "cve": "PVE-2021-37873", "id": "pyup.io-37873", "specs": [ "<0.134" @@ -11506,7 +15143,7 @@ "otpauth": [ { "advisory": "otpauth before 1.0.1 is vulnerable to timing attacks.", - "cve": null, + "cve": "PVE-2021-25915", "id": "pyup.io-25915", "specs": [ "<1.0.1" @@ -11538,7 +15175,7 @@ "ovs": [ { "advisory": "ovs 1.3.0 includes a fix that flow setups are now processed in a round-robin manner across ports to prevent any single client from monopolizing the CPU and conducting a denial of service attack.", - "cve": null, + "cve": "PVE-2021-25917", "id": "pyup.io-25917", "specs": [ "<1.3.0" @@ -11557,10 +15194,30 @@ "v": "<2.0.0a12" } ], + "pact-python": [ + { + "advisory": "Pact-python 1.3.6 includes several vulnerability fixes for Dockerfile(s).", + "cve": "PVE-2021-40235", + "id": "pyup.io-40235", + "specs": [ + "<1.3.6" + ], + "v": "<1.3.6" + }, + { + "advisory": "Pact-python 1.3.7 includes important fixes for Dockerfiles (py37.Dockerfile, py38.Dockerfile, py36.Dockerfile) to reduce vulnerabilities.", + "cve": "PVE-2021-40324", + "id": "pyup.io-40324", + "specs": [ + "<1.3.7" + ], + "v": "<1.3.7" + } + ], "pakettikauppa": [ { "advisory": "pakettikauppa 0.1.2 fixes Pip files and requirement files for fixing security issue in pyyaml module", - "cve": null, + "cve": "PVE-2021-36779", "id": "pyup.io-36779", "specs": [ "<0.1.2" @@ -11571,7 +15228,7 @@ "palladium": [ { "advisory": "Palladium 1.2.2 updates requirements, fixing potential security vulnerabilities in dependencies.", - "cve": null, + "cve": "PVE-2021-37378", "id": "pyup.io-37378", "specs": [ "<1.2.2" @@ -11580,7 +15237,7 @@ }, { "advisory": "Palladium 1.2.3 updates its requirements in order to use newer versions of dependencies. This fixes some potential security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38263", "id": "pyup.io-38263", "specs": [ "<1.2.3" @@ -11591,7 +15248,7 @@ "pandas-zmq": [ { "advisory": "Pandas-zmq 0.0.2 adds a signature to improve security.", - "cve": null, + "cve": "PVE-2021-38627", "id": "pyup.io-38627", "specs": [ "<0.0.2" @@ -11602,7 +15259,7 @@ "pandevice": [ { "advisory": "Pandevice 0.11.0 adds `uuid` params for security and NAT rules.", - "cve": null, + "cve": "PVE-2021-37198", "id": "pyup.io-37198", "specs": [ "<0.11.0" @@ -11613,7 +15270,7 @@ "pando": [ { "advisory": "pando before 0.39 is vulnerable to security bugs related to CRLF injection.", - "cve": null, + "cve": "PVE-2021-25918", "id": "pyup.io-25918", "specs": [ "<0.39" @@ -11622,7 +15279,7 @@ }, { "advisory": "pando before 0.42 is vulnerable to URL redirection attacks.", - "cve": null, + "cve": "PVE-2021-25919", "id": "pyup.io-25919", "specs": [ "<0.42" @@ -11630,10 +15287,21 @@ "v": "<0.42" } ], + "pangres": [ + { + "advisory": "Pangres 2.1 was released with the claim that it became completely SQL injection safe. Everything is escaped or parameterized including schema, table and column names.", + "cve": "PVE-2021-39284", + "id": "pyup.io-39284", + "specs": [ + "<2.1" + ], + "v": "<2.1" + } + ], "panoptes-utils": [ { "advisory": "Panoptes-utils 0.2.21 bumps PyYaml to its latest version to suppress a security warning.", - "cve": null, + "cve": "PVE-2021-38493", "id": "pyup.io-38493", "specs": [ "<0.2.21" @@ -11644,7 +15312,7 @@ "paradrop": [ { "advisory": "Paradrop 0.10.0 supports more WiFi encryption settings, including properly supporting CCMP for better security.", - "cve": null, + "cve": "PVE-2021-37491", "id": "pyup.io-37491", "specs": [ "<0.10.0" @@ -11653,7 +15321,7 @@ }, { "advisory": "Paradrop 0.13.0 updates dependency versions to address vulnerabilities in old versions of pyOpenSSL, requests, and urllib3.", - "cve": null, + "cve": "PVE-2021-37490", "id": "pyup.io-37490", "specs": [ "<0.13.0" @@ -11662,7 +15330,7 @@ }, { "advisory": "Paradrop 0.5 secures the router settings page with a login system.", - "cve": null, + "cve": "PVE-2021-37492", "id": "pyup.io-37492", "specs": [ "<0.5" @@ -11673,7 +15341,7 @@ "paramiko-ng": [ { "advisory": "Paramiko-ng 1.7.2 fixes the PRNG to be more secure on windows and in cases where fork() is called.", - "cve": null, + "cve": "PVE-2021-37114", "id": "pyup.io-37114", "specs": [ "<1.7.2" @@ -11684,7 +15352,7 @@ "passlib": [ { "advisory": "passlib before 1.4 not disabled unix_fallback's \"wildcard password\" support unless explicitly enabled by user.", - "cve": null, + "cve": "PVE-2021-25921", "id": "pyup.io-25921", "specs": [ "<1.4" @@ -11695,7 +15363,7 @@ "password-safe-box": [ { "advisory": "Password-safe-box 0.2 adds Fast Convert (which provides slightly better security than a normal hash).", - "cve": null, + "cve": "PVE-2021-38703", "id": "pyup.io-38703", "specs": [ "<0.2" @@ -11706,7 +15374,7 @@ "paste": [ { "advisory": "paste before 0.9.5 has a security vulnerability in ``paste.urlparser``'s StaticURLParser and PkgResourcesParser where, with some servers, you could escape the document root.", - "cve": null, + "cve": "PVE-2021-25922", "id": "pyup.io-25922", "specs": [ "<0.9.5" @@ -11715,7 +15383,7 @@ }, { "advisory": "paste 1.1 includes a security fix for ``paste.urlparser.StaticURLParser``. The problem allowed escaping the root (and reading files) when used with ``paste.httpserver`` (this does not effect other servers, and does not apply when proxying requests from Apache to ``paste.httpserver``).", - "cve": null, + "cve": "PVE-2021-25923", "id": "pyup.io-25923", "specs": [ "<1.1" @@ -11723,18 +15391,18 @@ "v": "<1.1" }, { - "advisory": "paste before 1.7.4 is vulnerable to a XSS attack in paste.urlparser.StaticURLParser.", - "cve": null, - "id": "pyup.io-25924", + "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.", + "cve": "CVE-2010-2477", + "id": "pyup.io-35340", "specs": [ "<1.7.4" ], "v": "<1.7.4" }, { - "advisory": "Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.", - "cve": "CVE-2010-2477", - "id": "pyup.io-35340", + "advisory": "paste before 1.7.4 is vulnerable to a XSS attack in paste.urlparser.StaticURLParser.", + "cve": "PVE-2021-25924", + "id": "pyup.io-25924", "specs": [ "<1.7.4" ], @@ -11755,7 +15423,7 @@ "pathfinder": [ { "advisory": "Pathfinder 0.5.4 includes a fix that addresses a security alert regarding the version of jinja2.", - "cve": null, + "cve": "PVE-2021-38220", "id": "pyup.io-38220", "specs": [ "<0.5.4" @@ -11763,6 +15431,17 @@ "v": "<0.5.4" } ], + "payton": [ + { + "advisory": "payton 0.1.4 upgrades Pillow from 7.x, since it had a security issue. This version is just for upgrading Pillow up to a secure version.", + "cve": "PVE-2021-40214", + "id": "pyup.io-40214", + "specs": [ + "<0.1.4" + ], + "v": "<0.1.4" + } + ], "pconf": [ { "advisory": "pconf before 1.3.3 is vulnerable to arbitrary code execution related to [CVE-2017-18342](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342) because of YAML's `load`. \r\nThis upgrades to use YAML `safe_load` instead of `load`.", @@ -11777,7 +15456,7 @@ "pcp": [ { "advisory": "pcp before 2.1.911 has a not further described vulnerability in pcp.spec.in.", - "cve": null, + "cve": "PVE-2021-25926", "id": "pyup.io-25926", "specs": [ "<2.1.911" @@ -11788,7 +15467,7 @@ "pdfextract": [ { "advisory": "pdfextract before 0.0.2 is using `eval` on filenames, leading to execution of arbitrary Python code.", - "cve": null, + "cve": "PVE-2021-25927", "id": "pyup.io-25927", "specs": [ "<0.0.2" @@ -11797,9 +15476,18 @@ } ], "pdfreader": [ + { + "advisory": "Pdfreader 0.1.6 updates its dependency on pillow to version >= 7.1.0 to address security issues. No details were provided.", + "cve": "PVE-2021-39314", + "id": "pyup.io-39314", + "specs": [ + "<0.1.6" + ], + "v": "<0.1.6" + }, { "advisory": "Pdfreader 0.1.6.dev1 bumps Pillow to version >= 7.1.0 to address security issues.", - "cve": null, + "cve": "PVE-2021-39118", "id": "pyup.io-39118", "specs": [ "<0.1.6.dev1" @@ -11810,7 +15498,7 @@ "pdkit": [ { "advisory": "Pdkit 1.2.1 includes an unspecified security fix for included libraries.", - "cve": null, + "cve": "PVE-2021-37793", "id": "pyup.io-37793", "specs": [ "<1.2.1" @@ -11821,7 +15509,7 @@ "peewee": [ { "advisory": "The main change in this release is the removal of the `AESEncryptedField`,\r\nwhich was included as part of the `playhouse.fields` extension. It was brought\r\nto my attention that there was some serious potential for security\r\nvulnerabilities. Rather than give users a false sense of security, I've decided\r\nthe best course of action is to remove the field.", - "cve": null, + "cve": "PVE-2021-34337", "id": "pyup.io-34337", "specs": [ "<2.10.0" @@ -11832,7 +15520,7 @@ "peppercorn": [ { "advisory": "peppercorn before 0.5 is vulnerable to DoS attacks due to the use of an iterative parser rather than a recursive parser.", - "cve": null, + "cve": "PVE-2021-25928", "id": "pyup.io-25928", "specs": [ "<0.5" @@ -11843,7 +15531,7 @@ "persephone": [ { "advisory": "Persephone 0.4.0 updates the nltk dependency to resolve a possible security issue.", - "cve": null, + "cve": "PVE-2021-38231", "id": "pyup.io-38231", "specs": [ "<0.4.0" @@ -11854,7 +15542,7 @@ "pex": [ { "advisory": "pex before 0.5.6 follows links which may lead to security issues: https://rbcommons.com/s/twitter/r/293/.", - "cve": null, + "cve": "PVE-2021-25929", "id": "pyup.io-25929", "specs": [ "<0.5.6" @@ -11863,7 +15551,7 @@ }, { "advisory": "Pex 0.8.0 includes a fix to refactor http handling to allow for alternate http implementations. This adds support for 'requests' , improving both performance and security. For more information, read the commit notes at and .", - "cve": null, + "cve": "PVE-2021-27426", "id": "pyup.io-27426", "specs": [ "<0.8.0" @@ -11871,10 +15559,21 @@ "v": "<0.8.0" } ], + "pfun": [ + { + "advisory": "Pfun 0.12.0 updates the 'aiohttp' dependency to 3.7.4 to avoid an open redirect vulnerability.", + "cve": "PVE-2021-40141", + "id": "pyup.io-40141", + "specs": [ + "<0.12.0" + ], + "v": "<0.12.0" + } + ], "phileo": [ { "advisory": "phileo before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", - "cve": null, + "cve": "PVE-2021-25930", "id": "pyup.io-25930", "specs": [ "<0.3" @@ -11882,10 +15581,63 @@ "v": "<0.3" } ], + "phoenix-letter": [ + { + "advisory": "Phoenix-letter 0.2.0 adds the flag '--aws-keys' to securely ask for the AWS credentials to avoid keeping sensitive information accessible in plain text. Without this flag, it falls back to the Boto3 default credential search.", + "cve": "PVE-2021-39438", + "id": "pyup.io-39438", + "specs": [ + "<0.2.0" + ], + "v": "<0.2.0" + } + ], + "phonenumbers": [ + { + "advisory": "Phonenumbers 8.3.1 contains a security improvement of the getNationalSignificantNumber function to make it more robust against malicious input.", + "cve": "PVE-2021-39441", + "id": "pyup.io-39441", + "specs": [ + "<8.3.1" + ], + "v": "<8.3.1" + } + ], + "pi-mqtt-gpio": [ + { + "advisory": "Pi-mqtt-gpio 0.5.2 updates the PyYAML to a version that doesn't suffer from CVE-2020-1747 vulnerability.", + "cve": "CVE-2020-1747", + "id": "pyup.io-39464", + "specs": [ + "<0.5.2" + ], + "v": "<0.5.2" + } + ], + "pib-cli": [ + { + "advisory": "Pib-cli 0.0.9 updates the 'PyYAML' dependency to fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.", + "cve": "CVE-2020-14343", + "id": "pyup.io-40480", + "specs": [ + "<0.0.9" + ], + "v": "<0.0.9" + } + ], "piccolo": [ + { + "advisory": "Piccolo 0.13.1 bumps the 'Node' dependencies with security warnings.", + "cve": "PVE-2021-40659", + "id": "pyup.io-40659", + "specs": [ + "<0.13.1" + ], + "v": "<0.13.1" + }, { "advisory": "Piccolo 0.2 uses 'QueryString' internally to represent queries (instead of raw strings) to harden against SQL injection.", - "cve": null, + "cve": "PVE-2021-38919", "id": "pyup.io-38919", "specs": [ "<0.2" @@ -11894,7 +15646,7 @@ }, { "advisory": "Piccolo 0.9.1 bumps node requirements because of a security warning.", - "cve": null, + "cve": "PVE-2021-38768", "id": "pyup.io-38768", "specs": [ "<0.9.1" @@ -11903,9 +15655,18 @@ } ], "piccolo-admin": [ + { + "advisory": "Piccolo-admin 0.13.1 updates underlying 'Node.js' dependencies with security warnings.", + "cve": "PVE-2021-40867", + "id": "pyup.io-40867", + "specs": [ + "<0.13.1" + ], + "v": "<0.13.1" + }, { "advisory": "Piccolo-admin 0.9.1 upgrades the node requirements because of a security warning.", - "cve": null, + "cve": "PVE-2021-38643", "id": "pyup.io-38643", "specs": [ "<0.9.1" @@ -11916,7 +15677,7 @@ "pigar": [ { "advisory": "pigar 0.9.1 sixes some potential security vulnerabilities", - "cve": null, + "cve": "PVE-2021-36904", "id": "pyup.io-36904", "specs": [ "<0.9.1" @@ -11924,10 +15685,30 @@ "v": "<0.9.1" } ], + "pikepdf": [ + { + "advisory": "models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.", + "cve": "CVE-2021-29421", + "id": "pyup.io-40137", + "specs": [ + ">=1.3.0,<=2.9.2" + ], + "v": ">=1.3.0,<=2.9.2" + } + ], "pillow": [ { - "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1932, CVE-2014-1933).", - "cve": "CVE-2014-1932, CVE-2014-1933", + "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1933).", + "cve": "CVE-2014-1933", + "id": "pyup.io-39580", + "specs": [ + "<2.3.1" + ], + "v": "<2.3.1" + }, + { + "advisory": "pillow before 2.3.1 makes insecure use of tempfile.mktemp (CVE-2014-1932).", + "cve": "CVE-2014-1932", "id": "pyup.io-25931", "specs": [ "<2.3.1" @@ -11936,7 +15717,7 @@ }, { "advisory": "pillow before 2.3.2 is vulnerable to a DOS in the IcnsImagePlugin.", - "cve": null, + "cve": "PVE-2021-25932", "id": "pyup.io-25932", "specs": [ "<2.3.2" @@ -11945,7 +15726,7 @@ }, { "advisory": "Pillow 2.5.0 includes a fix that prevents shell injection.", - "cve": null, + "cve": "PVE-2021-38907", "id": "pyup.io-38907", "specs": [ "<2.5.0" @@ -11954,7 +15735,7 @@ }, { "advisory": "pillow before 2.5.2 is vulnerable to a DoS in the IcnsImagePlugin.", - "cve": null, + "cve": "PVE-2021-25933", "id": "pyup.io-25933", "specs": [ "<2.5.2" @@ -11963,7 +15744,7 @@ }, { "advisory": "pillow before 2.5.3 is vulnerable to a DoS in the Jpeg2KImagePlugin.", - "cve": null, + "cve": "PVE-2021-25934", "id": "pyup.io-25934", "specs": [ "<2.5.3" @@ -12006,15 +15787,6 @@ ], "v": "<3.1.1" }, - { - "advisory": "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.", - "cve": "CVE-2016-0775", - "id": "pyup.io-33135", - "specs": [ - "<3.1.1" - ], - "v": "<3.1.1" - }, { "advisory": "Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.", "cve": "CVE-2016-2533", @@ -12033,6 +15805,15 @@ ], "v": "<3.1.1" }, + { + "advisory": "Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.", + "cve": "CVE-2016-0775", + "id": "pyup.io-33135", + "specs": [ + "<3.1.1" + ], + "v": "<3.1.1" + }, { "advisory": "pillow before 3.1.2 is vulnerable to an integer overflow in Jpeg2KEncode.c causing a buffer overflow. CVE-2016-3076.", "cve": "CVE-2016-3076", @@ -12061,16 +15842,16 @@ "v": "<3.3.2" }, { - "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.", - "cve": "CVE-2020-5313", - "id": "pyup.io-37782", + "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.", + "cve": "CVE-2020-5310", + "id": "pyup.io-37779", "specs": [ "<6.2.2" ], "v": "<6.2.2" }, { - "advisory": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. See:CVE-2020-5312.", + "advisory": "libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.", "cve": "CVE-2020-5312", "id": "pyup.io-37781", "specs": [ @@ -12079,27 +15860,27 @@ "v": "<6.2.2" }, { - "advisory": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. See: CVE-2020-5311.", - "cve": "CVE-2020-5311", - "id": "pyup.io-37780", + "advisory": "libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. See: CVE-2020-5313.", + "cve": "CVE-2020-5313", + "id": "pyup.io-37782", "specs": [ "<6.2.2" ], "v": "<6.2.2" }, { - "advisory": "libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. See: CVE-2020-5310.", - "cve": "CVE-2020-5310", - "id": "pyup.io-37779", + "advisory": "libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.", + "cve": "CVE-2020-5311", + "id": "pyup.io-37780", "specs": [ "<6.2.2" ], "v": "<6.2.2" }, { - "advisory": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.", - "cve": "CVE-2020-10378", - "id": "pyup.io-38449", + "advisory": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.", + "cve": "CVE-2020-10379", + "id": "pyup.io-38450", "specs": [ "<6.2.3", ">=7.0.0,<7.0.1" @@ -12107,9 +15888,9 @@ "v": "<6.2.3,>=7.0.0,<7.0.1" }, { - "advisory": "In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Overflows in libImaging/TiffDecode.c. See: CVE-2020-10379.", - "cve": "CVE-2020-10379", - "id": "pyup.io-38450", + "advisory": "In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. See: CVE-2020-10378.", + "cve": "CVE-2020-10378", + "id": "pyup.io-38449", "specs": [ "<6.2.3", ">=7.0.0,<7.0.1" @@ -12125,6 +15906,168 @@ ], "v": "<7.0.0" }, + { + "advisory": "Pillow 8.0.1 updates FreeType used in binary wheels to 2.10.4 to fix CVE-2020-15999.", + "cve": "CVE-2020-15999", + "id": "pyup.io-40264", + "specs": [ + "<8.0.1" + ], + "v": "<8.0.1" + }, + { + "advisory": "Pillow 8.1.0 fixes TIFF OOB Write error. CVE-2020-35654 #5175.", + "cve": "CVE-2020-35654", + "id": "pyup.io-40265", + "specs": [ + "<8.1.0" + ], + "v": "<8.1.0" + }, + { + "advisory": "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. See: CVE-2020-35653.", + "cve": "CVE-2020-35653", + "id": "pyup.io-40270", + "specs": [ + "<8.1.0" + ], + "v": "<8.1.0" + }, + { + "advisory": "Pillow 8.1.0 includes a fix for SGI Decode buffer overrun. CVE-2020-35655 #5173.", + "cve": "CVE-2020-35655", + "id": "pyup.io-40271", + "specs": [ + "<8.1.0" + ], + "v": "<8.1.0" + }, + { + "advisory": "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. See: CVE-2021-25290.", + "cve": "CVE-2021-25290", + "id": "pyup.io-40275", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow 8.1.1 fixes OOB Read in TiffDecode.c, and checks the tile validity before reading (CVE-2021-25291).", + "cve": "CVE-2021-25291", + "id": "pyup.io-40272", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow 8.1.1 uses more specific regex chars to prevent ReDoS (CVE-2021-25292).", + "cve": "CVE-2021-25292", + "id": "pyup.io-40266", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow 8.1.1 fixes incorrect error code checking in TiffDecode.c (CVE-2021-25289).", + "cve": "CVE-2021-25289", + "id": "pyup.io-40274", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow 8.1.1 fixes OOB read in SgiRleDecode.c (CVE-2021-25293).", + "cve": "CVE-2021-25293", + "id": "pyup.io-40273", + "specs": [ + "<8.1.1" + ], + "v": "<8.1.1" + }, + { + "advisory": "Pillow 8.1.2 fixes memory DOS in BLP Image Plugin (CVE-2021-27921).", + "cve": "CVE-2021-27921", + "id": "pyup.io-40263", + "specs": [ + "<8.1.2" + ], + "v": "<8.1.2" + }, + { + "advisory": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).", + "cve": "CVE-2021-27922", + "id": "pyup.io-40267", + "specs": [ + "<8.1.2" + ], + "v": "<8.1.2" + }, + { + "advisory": "Pillow 8.1.2 fixes memory DOS in ICO Image Plugin (CVE-2021-27923).", + "cve": "CVE-2021-27923", + "id": "pyup.io-40268", + "specs": [ + "<8.1.2" + ], + "v": "<8.1.2" + }, + { + "advisory": "Pillow 8.1.2 fixes memory DOS in ICNS Image Plugin (CVE-2021-27922).", + "cve": "CVE-2021-27922", + "id": "pyup.io-40269", + "specs": [ + "<8.1.2" + ], + "v": "<8.1.2" + }, + { + "advisory": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.", + "cve": "CVE-2021-25287", + "id": "pyup.io-40592", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. See: CVE-2021-28676.", + "cve": "CVE-2021-28676", + "id": "pyup.io-40594", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.", + "cve": "CVE-2021-28678", + "id": "pyup.io-40596", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.", + "cve": "CVE-2021-25288", + "id": "pyup.io-40593", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, + { + "advisory": "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.", + "cve": "CVE-2021-28677", + "id": "pyup.io-40595", + "specs": [ + "<8.2.0" + ], + "v": "<8.2.0" + }, { "advisory": "In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files. See: CVE-2020-11538. Note that this is a different issue than CVE-2020-5311.", "cve": "CVE-2020-11538", @@ -12134,6 +16077,15 @@ ], "v": "<=7.0.0" }, + { + "advisory": "Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.", + "cve": "CVE-2021-34552", + "id": "pyup.io-40965", + "specs": [ + "<=8.2.0" + ], + "v": "<=8.2.0" + }, { "advisory": "There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. See: CVE-2019-19911.", "cve": "CVE-2019-19911", @@ -12146,8 +16098,17 @@ ], "pillow-simd": [ { - "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3598, CVE-2014-3589", + "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39579", + "specs": [ + "<2.3.2" + ], + "v": "<2.3.2" + }, + { + "advisory": "pillow-simd before 2.3.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin.", + "cve": "CVE-2014-3598", "id": "pyup.io-25947", "specs": [ "<2.3.2" @@ -12155,8 +16116,8 @@ "v": "<2.3.2" }, { - "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3598, CVE-2014-3589", + "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3598.", + "cve": "CVE-2014-3598", "id": "pyup.io-25948", "specs": [ "<2.5.2" @@ -12164,8 +16125,17 @@ "v": "<2.5.2" }, { - "advisory": "pillow-simd before 2.5.3 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3598, CVE-2014-3589", + "advisory": "pillow-simd before 2.5.2 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39578", + "specs": [ + "<2.5.2" + ], + "v": "<2.5.2" + }, + { + "advisory": "Pillow-simd before 2.5.3 is vulnerable to CVE-2014-3598.", + "cve": "CVE-2014-3598", "id": "pyup.io-25949", "specs": [ "<2.5.3" @@ -12173,8 +16143,26 @@ "v": "<2.5.3" }, { - "advisory": "pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3598, a DOS in the Jpeg2KImagePlugin and CVE-2014-3589, a DOS in the IcnsImagePlugin.", - "cve": "CVE-2014-3598, CVE-2014-3589", + "advisory": "pillow-simd before 2.5.3 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39577", + "specs": [ + "<2.5.3" + ], + "v": "<2.5.3" + }, + { + "advisory": "pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3589, a DOS in the IcnsImagePlugin.", + "cve": "CVE-2014-3589", + "id": "pyup.io-39576", + "specs": [ + "<2.6.0rc1" + ], + "v": "<2.6.0rc1" + }, + { + "advisory": "Pillow-simd before 2.6.0rc1 is vulnerable to CVE-2014-3598.", + "cve": "CVE-2014-3598", "id": "pyup.io-25950", "specs": [ "<2.6.0rc1" @@ -12201,7 +16189,7 @@ }, { "advisory": "pillow-simd before 3.1.1 is vulnerable to multiple buffer overlows in Resample.c, PcdDecode.c, FliDecode.c and TiffDecode.c.", - "cve": null, + "cve": "PVE-2021-25953", "id": "pyup.io-25953", "specs": [ "<3.1.1" @@ -12221,7 +16209,7 @@ "pim-dm": [ { "advisory": "pim-dm 1.0 includes dissertation work and an unspecified security implementation", - "cve": null, + "cve": "PVE-2021-37857", "id": "pyup.io-37857", "specs": [ "<1.0" @@ -12232,7 +16220,7 @@ "pinax-likes": [ { "advisory": "pinax-likes before 0.3 allows users to like anything and everything, which could potentially lead to security problems (eg. liking entries in permission tables, and thus seeing their content; liking administrative users and thus getting their username).", - "cve": null, + "cve": "PVE-2021-25955", "id": "pyup.io-25955", "specs": [ "<0.3" @@ -12261,7 +16249,7 @@ }, { "advisory": "pip 1.4 includes a security patch to pip's ssl support related to certificate DNS wildcard matching.", - "cve": null, + "cve": "PVE-2021-25959", "id": "pyup.io-25959", "specs": [ "<1.4" @@ -12286,6 +16274,15 @@ ], "v": "<19.2" }, + { + "advisory": "Pip 21.1 includes a fix for CVE-2021-28363: The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.", + "cve": "CVE-2021-28363", + "id": "pyup.io-40291", + "specs": [ + "<21.1" + ], + "v": "<21.1" + }, { "advisory": "pip before 6.0 is not using a randomized and secure default build directory when possible. (CVE-2014-8991).", "cve": "CVE-2014-8991", @@ -12308,7 +16305,7 @@ "pipenv": [ { "advisory": "Pipenv 2020.5.28 includes the --key command to include a personal PyUp API token when running `pipenv check`. This version also updates several dependencies to their latest versions for security and bug fixes.", - "cve": null, + "cve": "PVE-2021-38334", "id": "pyup.io-38334", "specs": [ "<2020.5.28" @@ -12319,7 +16316,7 @@ "pirate-get": [ { "advisory": "pirate-get before 0.2.8 is not properly validating torrent file names.\r\n\r\n- https://github.com/vikstrous/pirate-get/issues/73", - "cve": null, + "cve": "PVE-2021-34168", "id": "pyup.io-34168", "specs": [ "<0.2.8" @@ -12330,7 +16327,7 @@ "pkgcore": [ { "advisory": "pkgcore 0.4.7.12 includes a security fix; force cwd to something controlled for ebuild env. This blocks an attack detailed in glsa 200810-02; namely that an ebuild invoking python -c (which looks in cwd for modules to load) allows for an attacker to slip something in.", - "cve": null, + "cve": "PVE-2021-25962", "id": "pyup.io-25962", "specs": [ "<0.4.7.12" @@ -12341,7 +16338,7 @@ "platformio": [ { "advisory": "platformio 4.1.0 fixes a security issue when extracting items from TAR archive - see https://github.com/platformio/platformio-core/issues/2995", - "cve": null, + "cve": "PVE-2021-37869", "id": "pyup.io-37869", "specs": [ "<4.1.0" @@ -12352,7 +16349,7 @@ "plomino": [ { "advisory": "plomino before 1.18 has a major vulnerability in open_url (now, targeted sources must be declared safe from an local package).", - "cve": null, + "cve": "PVE-2021-25963", "id": "pyup.io-25963", "specs": [ "<1.18" @@ -12361,7 +16358,7 @@ }, { "advisory": "plomino 1.5.3 includes a security fix: when a group has PlominoAuthors rights, members of this group are just authors on their own documents.", - "cve": null, + "cve": "PVE-2021-25964", "id": "pyup.io-25964", "specs": [ "<1.5.3" @@ -12443,9 +16440,18 @@ ], "v": "<4.3" }, + { + "advisory": "The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. See CVE-2020-35190.", + "cve": "CVE-2020-35190", + "id": "pyup.io-39305", + "specs": [ + "<4.3.18" + ], + "v": "<4.3.18" + }, { "advisory": "Plone 5.2.2 contains Products.isurlinportal 1.1.0 with a minor security hardening fix.", - "cve": null, + "cve": "PVE-2021-38990", "id": "pyup.io-38990", "specs": [ "<5.2.2" @@ -12454,7 +16460,7 @@ }, { "advisory": "Plone 5.2.2rc1 fixes that isURLInPortal could be tricked into accepting malicious links.", - "cve": null, + "cve": "PVE-2021-38991", "id": "pyup.io-38991", "specs": [ "<5.2.2rc1" @@ -12462,56 +16468,164 @@ "v": "<5.2.2rc1" }, { - "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.", - "cve": "CVE-2011-2528", - "id": "pyup.io-25965", + "advisory": "Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. See CVE-2020-28734.", + "cve": "CVE-2020-28734", + "id": "pyup.io-39376", "specs": [ - "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + "<5.2.3" ], - "v": "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + "v": "<5.2.3" }, { - "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.", - "cve": "CVE-2011-3587", - "id": "pyup.io-33144", + "advisory": "Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). See CVE-2020-28735.", + "cve": "CVE-2020-28735", + "id": "pyup.io-39377", "specs": [ - ">4,<4.2a2" + "<5.2.3" ], - "v": ">4,<4.2a2" + "v": "<5.2.3" }, { - "advisory": "Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.", - "cve": "CVE-2017-5524", - "id": "pyup.io-35733", + "advisory": "Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). See CVE-2020-28736.", + "cve": "CVE-2020-28736", + "id": "pyup.io-39378", "specs": [ - ">4,<=4.3.11", - ">5,<=5.0.6" + "<5.2.3" ], - "v": ">4,<=4.3.11,>5,<=5.0.6" + "v": "<5.2.3" }, { - "advisory": "By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)", - "cve": "CVE-2017-1000484", - "id": "pyup.io-35704", + "advisory": "Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim's browser if the victim opens a vulnerable page containing an XSS payload.", + "cve": "CVE-2021-3313", + "id": "pyup.io-40528", "specs": [ - ">4,<=4.3.15", - ">=5.0,<5.1rc1" + "<5.2.4" ], - "v": ">4,<=4.3.15,>=5.0,<5.1rc1" + "v": "<5.2.4" }, { - "advisory": "Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.", - "cve": "CVE-2011-1949", - "id": "pyup.io-25997", + "advisory": "Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.", + "cve": "CVE-2021-33512", + "id": "pyup.io-40537", "specs": [ - ">=2.1,<4.2" + "<=5.2.4" ], - "v": ">=2.1,<4.2" + "v": "<=5.2.4" }, { - "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.", - "cve": "CVE-2011-0720", - "id": "pyup.io-33142", + "advisory": "Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.", + "cve": "CVE-2021-33510", + "id": "pyup.io-40535", + "specs": [ + "<=5.2.4" + ], + "v": "<=5.2.4" + }, + { + "advisory": "Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool.", + "cve": "CVE-2021-33513", + "id": "pyup.io-40538", + "specs": [ + "<=5.2.4" + ], + "v": "<=5.2.4" + }, + { + "advisory": "Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item.", + "cve": "CVE-2021-33508", + "id": "pyup.io-40533", + "specs": [ + "<=5.2.4" + ], + "v": "<=5.2.4" + }, + { + "advisory": "Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.", + "cve": "CVE-2021-33511", + "id": "pyup.io-40536", + "specs": [ + "<=5.2.4" + ], + "v": "<=5.2.4" + }, + { + "advisory": "Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script.", + "cve": "CVE-2021-33509", + "id": "pyup.io-40534", + "specs": [ + "<=5.2.4" + ], + "v": "<=5.2.4" + }, + { + "advisory": "Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.", + "cve": "CVE-2021-33507", + "id": "pyup.io-40821", + "specs": [ + "<=5.2.4" + ], + "v": "<=5.2.4" + }, + { + "advisory": "Unspecified vulnerability in (1) Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and (2) PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a \"highly serious vulnerability.\" NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.", + "cve": "CVE-2011-2528", + "id": "pyup.io-25965", + "specs": [ + "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + ], + "v": "==3.3.5,==3.3.4,==3.3.3,==3.3.2" + }, + { + "advisory": "A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the \"form.widgets.site_title\" parameter. See CVE-2021-29002.", + "cve": "CVE-2021-29002", + "id": "pyup.io-40094", + "specs": [ + "==5.2.3" + ], + "v": "==5.2.3" + }, + { + "advisory": "Unspecified vulnerability in Zope 2.12.x and 2.13.x, as used in Plone 4.0.x through 4.0.9, 4.1, and 4.2 through 4.2a2, allows remote attackers to execute arbitrary commands via vectors related to the p_ class in OFS/misc_.py and the use of Python modules.", + "cve": "CVE-2011-3587", + "id": "pyup.io-33144", + "specs": [ + ">4,<4.2a2" + ], + "v": ">4,<4.2a2" + }, + { + "advisory": "Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method.", + "cve": "CVE-2017-5524", + "id": "pyup.io-35733", + "specs": [ + ">4,<=4.3.11", + ">5,<=5.0.6" + ], + "v": ">4,<=4.3.11,>5,<=5.0.6" + }, + { + "advisory": "By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)", + "cve": "CVE-2017-1000484", + "id": "pyup.io-35704", + "specs": [ + ">4,<=4.3.15", + ">=5.0,<5.1rc1" + ], + "v": ">4,<=4.3.15,>=5.0,<5.1rc1" + }, + { + "advisory": "Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.", + "cve": "CVE-2011-1949", + "id": "pyup.io-25997", + "specs": [ + ">=2.1,<4.2" + ], + "v": ">=2.1,<4.2" + }, + { + "advisory": "Unspecified vulnerability in Plone 2.5 through 4.0, as used in Conga, luci, and possibly other products, allows remote attackers to obtain administrative access, read or create arbitrary content, and change the site skin via unknown vectors.", + "cve": "CVE-2011-0720", + "id": "pyup.io-33142", "specs": [ ">=2.5,<4.0" ], @@ -12567,7 +16681,7 @@ "v": ">=4.3,<=5.2.0" }, { - "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission.", + "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. See: CVE-2020-7941.", "cve": "CVE-2020-7941", "id": "pyup.io-36898", "specs": [ @@ -12584,6 +16698,15 @@ ], "v": ">=5.0,<=5.2.1" }, + { + "advisory": "In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folder contents view, if a Contributor has created a folder with a SCRIPT tag in the description field.", + "cve": "CVE-2021-35959", + "id": "pyup.io-40886", + "specs": [ + ">=5.0.0,<=5.2.4" + ], + "v": ">=5.0.0,<=5.2.4" + }, { "advisory": "plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. See: CVE-2020-7938.", "cve": "CVE-2020-7938", @@ -12597,7 +16720,7 @@ "plone-app-contentmenu": [ { "advisory": "Plone-app-contentmenu 1.1.7 escapes the title of the defaultpage in the DisplayMenu. This fixes a potential\r\n xss attack and http://dev.plone.org/plone/ticket/8377.", - "cve": null, + "cve": "PVE-2021-36047", "id": "pyup.io-36047", "specs": [ "<1.1.7" @@ -12608,7 +16731,7 @@ "plone-app-contenttypes": [ { "advisory": "plone-app-contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.", - "cve": null, + "cve": "PVE-2021-35870", "id": "pyup.io-35870", "specs": [ "<1.2.15" @@ -12619,7 +16742,7 @@ "plone-app-discussion": [ { "advisory": "plone-app-discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.", - "cve": null, + "cve": "PVE-2021-35864", "id": "pyup.io-35864", "specs": [ "<2.4.14" @@ -12630,7 +16753,7 @@ "plone-app-event": [ { "advisory": "plone-app-event 3.0 fixes a possible cross site scripting (XSS) attack in location field.", - "cve": null, + "cve": "PVE-2021-35923", "id": "pyup.io-35923", "specs": [ "<3.0" @@ -12652,7 +16775,7 @@ "plone-dexterity": [ { "advisory": "In plone-dexterity before 2.3.0 Attribute access to schema fields can be protected. This\r\n worked for direct schemas, but was not implemented for permissions coming\r\n from behaviors.", - "cve": null, + "cve": "PVE-2021-35873", "id": "pyup.io-35873", "specs": [ "<2.3.0" @@ -12663,7 +16786,7 @@ "plone.app.content": [ { "advisory": "plone.app.content 3.3.1 includes security hotfix 20160830 for folder factories redirection.", - "cve": null, + "cve": "PVE-2021-26000", "id": "pyup.io-26000", "specs": [ "<3.3.1" @@ -12672,7 +16795,7 @@ }, { "advisory": "Plone.app.content 3.8.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", - "cve": null, + "cve": "PVE-2021-38030", "id": "pyup.io-38030", "specs": [ "<3.8.1" @@ -12683,7 +16806,7 @@ "plone.app.contentmenu": [ { "advisory": "plone.app.contentmenu 1.1.7 fixes a potential xss attack and http://dev.plone.org/plone/ticket/8377.", - "cve": null, + "cve": "PVE-2021-26001", "id": "pyup.io-26001", "specs": [ "<1.1.7" @@ -12694,7 +16817,7 @@ "plone.app.contenttypes": [ { "advisory": "plone.app.contenttypes 1.2.15 fixes a possible cross site scripting (XSS) attack in lead image caption.", - "cve": null, + "cve": "PVE-2021-26002", "id": "pyup.io-26002", "specs": [ "<1.2.15" @@ -12702,7 +16825,7 @@ "v": "<1.2.15" }, { - "advisory": "plone.app.contenttypes 2.1.6 integrates PloneHotFix20200121: add more permission checks - see https://plone.org/security/hotfix/20200121/privilege-escalation-for-overwriting-content", + "advisory": "A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. See: CVE-2020-7941.", "cve": "CVE-2020-7941", "id": "pyup.io-37887", "specs": [ @@ -12714,7 +16837,7 @@ "plone.app.dexterity": [ { "advisory": "The modeleditor in plone.app.dexterity 2.6.8 no longer resolves entities, and it removes processing instructions. This increases the security.", - "cve": null, + "cve": "PVE-2021-39143", "id": "pyup.io-39143", "specs": [ "<2.6.8" @@ -12725,7 +16848,7 @@ "plone.app.discussion": [ { "advisory": "plone.app.discussion 2.4.14 fixes a possible cross site scripting (XSS) attack on moderate comments page.", - "cve": null, + "cve": "PVE-2021-26003", "id": "pyup.io-26003", "specs": [ "<2.4.14" @@ -12734,7 +16857,7 @@ }, { "advisory": "plone.app.discussion 2.4.18 includes security hotfix 20160830 for redirects.", - "cve": null, + "cve": "PVE-2021-26004", "id": "pyup.io-26004", "specs": [ "<2.4.18" @@ -12745,7 +16868,7 @@ "plone.app.event": [ { "advisory": "plone.app.event 3.0 fixes a possible cross site scripting (XSS) attack in location field", - "cve": null, + "cve": "PVE-2021-26005", "id": "pyup.io-26005", "specs": [ "<3.0" @@ -12754,7 +16877,7 @@ }, { "advisory": "Plone.app.event 3.2.10 gives a validation error in the ical importer when a 'file://' URL is used (this could be a line of attack for a hacker).", - "cve": null, + "cve": "PVE-2021-39140", "id": "pyup.io-39140", "specs": [ "<3.2.10" @@ -12765,7 +16888,7 @@ "plone.app.layout": [ { "advisory": "Plone.app.layout 3.4.1 integrate the Plone20200121 hotfix to prevent XSS in title - see: https://plone.org/security/hotfix/20200121/xss-in-the-title-field-on-plone-5-0-and-higher", - "cve": null, + "cve": "PVE-2021-38031", "id": "pyup.io-38031", "specs": [ "<3.4.1" @@ -12787,7 +16910,7 @@ "plone.app.theming": [ { "advisory": "Plone.app.theming 4.1.6 fails when trying file protocol access in diazo rules. It also no longer resolves entities, and removes processing instructions. This are security enhancements.", - "cve": null, + "cve": "PVE-2021-39142", "id": "pyup.io-39142", "specs": [ "<4.1.6" @@ -12798,7 +16921,7 @@ "plone.dexterity": [ { "advisory": "plone.dexterity 2.3.0 fixes a security issue. Attribute access to schema fields can be protected. This worked for direct schemas, but was not implemented for permissions coming from behaviors.", - "cve": null, + "cve": "PVE-2021-26007", "id": "pyup.io-26007", "specs": [ "<2.3.0" @@ -12809,7 +16932,7 @@ "plone.formwidget.contenttree": [ { "advisory": "plone.formwidget.contenttree 1.0a3 fixes an issues with the security validator to work properly on add views and other views using namespace traversal.", - "cve": null, + "cve": "PVE-2021-26008", "id": "pyup.io-26008", "specs": [ "<1.0a3" @@ -12820,7 +16943,7 @@ "plone.memoize": [ { "advisory": "Plone.memoize 1.0.3 no longeruses hash when making cache keys. This is to avoid cache collisions, and to avoid a potential security problem where an attacker could manually craft collisions. Also, the use of hash() is no longer recommending in tests.", - "cve": null, + "cve": "PVE-2021-37107", "id": "pyup.io-37107", "specs": [ "<1.0.3" @@ -12831,7 +16954,7 @@ "plone.mockup": [ { "advisory": "plone.mockup before 2.1.3 is vulnerable to a XSS attack in structure and relateditem pattern.", - "cve": null, + "cve": "PVE-2021-26009", "id": "pyup.io-26009", "specs": [ "<2.1.3" @@ -12842,7 +16965,7 @@ "plone.openid": [ { "advisory": "plone.openid before 2.0.2 is not using the system number generator, even if it is available.", - "cve": null, + "cve": "PVE-2021-26010", "id": "pyup.io-26010", "specs": [ "<2.0.2" @@ -12850,10 +16973,21 @@ "v": "<2.0.2" } ], + "plone.portlet.static": [ + { + "advisory": "Plone.portlet.static 1.2 starts to ensure that text output is passed through the 'safe-html' transform to protect against malicious text.", + "cve": "PVE-2021-40232", + "id": "pyup.io-40232", + "specs": [ + "<1.2" + ], + "v": "<1.2" + } + ], "plone.recipe.varnish": [ { "advisory": "Plone.recipe.varnish 6.0.0b1 updates to Varnish 6.0.6 LTS security release.", - "cve": null, + "cve": "PVE-2021-37942", "id": "pyup.io-37942", "specs": [ "<6.0.0b1" @@ -12864,7 +16998,7 @@ "plone.session": [ { "advisory": "Plone.session 3.6.2 hardens the default timeout of session. This solves Plone security internal issue 126 (severity low, non-critical). Also, the session timeout is now the same as in mod_auth_tkt: 2h. This follows the recommendation of the German BSI (federal office for security in the information technology) - see . For existing sites this can be adjusted at . The Plone Security Team follows the BSI and recommends administrators to change the setting in their existing Plone sites.", - "cve": null, + "cve": "PVE-2021-38207", "id": "pyup.io-38207", "specs": [ "<3.6.2" @@ -12875,7 +17009,7 @@ "plone.supermodel": [ { "advisory": "Plone.supermodel 1.6.3 no longer resolves entities in the xml parser. It also removes processing instructions. These are both security enhancements.", - "cve": null, + "cve": "PVE-2021-39141", "id": "pyup.io-39141", "specs": [ "<1.6.3" @@ -12886,7 +17020,7 @@ "plone.z3cform": [ { "advisory": "Plone.z3cform 0.5.9 fixes a security problem with the ++widget++ namespace [optilude].", - "cve": null, + "cve": "PVE-2021-37035", "id": "pyup.io-37035", "specs": [ "<0.5.9" @@ -12897,7 +17031,7 @@ "plotly": [ { "advisory": "Plotly 1.15.0 improves a potential XSS input in `text` fields.", - "cve": null, + "cve": "PVE-2021-37053", "id": "pyup.io-37053", "specs": [ "<1.15.0" @@ -12906,7 +17040,7 @@ }, { "advisory": "Plotly 1.22.0 fixes an XSS vulnerability in a trace name on hover.", - "cve": null, + "cve": "PVE-2021-37052", "id": "pyup.io-37052", "specs": [ "<1.22.0" @@ -12915,7 +17049,7 @@ }, { "advisory": "Plotly 1.5.1 updates insecure dev dependencies `ecstatic` and `uglify-js`.", - "cve": null, + "cve": "PVE-2021-38545", "id": "pyup.io-38545", "specs": [ "<1.5.1" @@ -12924,7 +17058,7 @@ }, { "advisory": "Plotly 1.54.4 bumps `ecstatic`, `gl-selet-static`, `gl-plot2d` & `gl-plot3d` and drops `cwise` to simplify build process & address security warnings [4929, 4930, 4934].", - "cve": null, + "cve": "PVE-2021-38454", "id": "pyup.io-38454", "specs": [ "<1.54.4" @@ -12935,7 +17069,7 @@ "plugwise": [ { "advisory": "Plugwise 0.8.2 improves the security by switching from lxml to defusedxml.", - "cve": null, + "cve": "PVE-2021-39026", "id": "pyup.io-39026", "specs": [ "<0.8.2" @@ -12946,7 +17080,7 @@ "plumi.app": [ { "advisory": "plumi.app 4.2 includes a security hotfix related to LinguaPlone & plone.app.discussion.", - "cve": null, + "cve": "PVE-2021-26011", "id": "pyup.io-26011", "specs": [ "<4.2" @@ -12955,7 +17089,7 @@ }, { "advisory": "plumi.app before 4.2.1 uses a insecure transitive dependency (plone<4.0.7).", - "cve": null, + "cve": "PVE-2021-26012", "id": "pyup.io-26012", "specs": [ "<4.2.1" @@ -12964,7 +17098,7 @@ }, { "advisory": "plumi.app 4.2.2 patches a serious security vulnerability/", - "cve": null, + "cve": "PVE-2021-26013", "id": "pyup.io-26013", "specs": [ "<4.2.2" @@ -12975,7 +17109,7 @@ "plusminus": [ { "advisory": "Plusminus 0.3.0 has been hardened against some possible attacks, using deep expression nesting or formula references.", - "cve": null, + "cve": "PVE-2021-38323", "id": "pyup.io-38323", "specs": [ "<0.3.0" @@ -12986,7 +17120,7 @@ "pmr2.oauth": [ { "advisory": "pmr2.oauth before 0.4.2 is vulnerable to CSRF attacks.", - "cve": null, + "cve": "PVE-2021-26014", "id": "pyup.io-26014", "specs": [ "<0.4.2" @@ -12997,7 +17131,7 @@ "podder-task-base": [ { "advisory": "podder-task-base 0.4.0 changes: Update version of SQLAlchemy, Jinja for security reason", - "cve": null, + "cve": "PVE-2021-37260", "id": "pyup.io-37260", "specs": [ "<0.4.0" @@ -13005,10 +17139,77 @@ "v": "<0.4.0" } ], + "podman": [ + { + "advisory": "Podman 0.11.1 increases security and performance when looking up groups.", + "cve": "PVE-2021-40523", + "id": "pyup.io-40523", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Podman 0.12.1.1 removes manual handling of insecure registries in different code areas.", + "cve": "PVE-2021-40522", + "id": "pyup.io-40522", + "specs": [ + "<0.12.1.1" + ], + "v": "<0.12.1.1" + }, + { + "advisory": "Podman 3.0.0 starts to honor 'systempaths=unconfined' for the 'ro' library paths.", + "cve": "PVE-2021-40513", + "id": "pyup.io-40513", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + } + ], + "podman-py": [ + { + "advisory": "Podman-py 0.11.1 increases security and performance when looking up groups.", + "cve": "PVE-2021-40456", + "id": "pyup.io-40456", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + }, + { + "advisory": "Podman-py 0.12.1.1 removes manual handling of insecure registries in podman search, doPullImage, and PushImageToReference.", + "cve": "PVE-2021-40455", + "id": "pyup.io-40455", + "specs": [ + "<0.12.1.1" + ], + "v": "<0.12.1.1" + }, + { + "advisory": "Podman-py 1.9.0rc2 sets the security options even if the user does not specify options.", + "cve": "PVE-2021-40448", + "id": "pyup.io-40448", + "specs": [ + "<1.9.0rc2" + ], + "v": "<1.9.0rc2" + }, + { + "advisory": "Podman-py 3.0.0 adds an small security improvement (honor 'systempaths=unconfined' for the 'ro' paths).", + "cve": "PVE-2021-40446", + "id": "pyup.io-40446", + "specs": [ + "<3.0.0" + ], + "v": "<3.0.0" + } + ], "pokedex.py": [ { "advisory": "pokedex.py 1.1.2 updates `requests` package to `>=2.20.0,<3.0.0` to fix information exposure vulnerability", - "cve": null, + "cve": "PVE-2021-36593", "id": "pyup.io-36593", "specs": [ "<1.1.2" @@ -13019,7 +17220,7 @@ "polemarch": [ { "advisory": "polemarch 1.2.1 change: Update `bootstrap` and `moment.js` for security reasons.", - "cve": null, + "cve": "PVE-2021-37229", "id": "pyup.io-37229", "specs": [ "<1.2.1" @@ -13030,7 +17231,7 @@ "polyaxon": [ { "advisory": "Polyaxon 0.4.1 updates dependencies exposing security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38029", "id": "pyup.io-38029", "specs": [ "<0.4.1" @@ -13039,7 +17240,7 @@ }, { "advisory": "Polyaxon 0.4.3 update some packages that have some security and deprecation problems.", - "cve": null, + "cve": "PVE-2021-38028", "id": "pyup.io-38028", "specs": [ "<0.4.3" @@ -13048,7 +17249,7 @@ }, { "advisory": "Polyaxon 0.5.1 updates lodash: vulnerability issue.", - "cve": null, + "cve": "PVE-2021-38025", "id": "pyup.io-38025", "specs": [ "<0.5.1" @@ -13057,7 +17258,7 @@ }, { "advisory": "Polyaxon 0.5.5 updates dependencies with security release.", - "cve": null, + "cve": "PVE-2021-38023", "id": "pyup.io-38023", "specs": [ "<0.5.5" @@ -13066,7 +17267,7 @@ }, { "advisory": "Polyaxon 0.6.0 fixes some unspecified security issues.", - "cve": null, + "cve": "PVE-2021-38022", "id": "pyup.io-38022", "specs": [ "<0.6.0" @@ -13074,10 +17275,21 @@ "v": "<0.6.0" } ], + "polyswarm-client": [ + { + "advisory": "Polyswarm-client 2.11.7 updates the 'aiohttp' dependency to a non-vulnerable version.", + "cve": "PVE-2021-40126", + "id": "pyup.io-40126", + "specs": [ + "<2.11.7" + ], + "v": "<2.11.7" + } + ], "poorwsgi": [ { "advisory": "poorwsgi 1.0.2 includes several security related enhancements related to secret key generation.", - "cve": null, + "cve": "PVE-2021-26015", "id": "pyup.io-26015", "specs": [ "<1.0.2" @@ -13088,7 +17300,7 @@ "pootle": [ { "advisory": "pootle before 2.8.0rc5 is vulnerable to several undisclosed security vulnerabilites.", - "cve": null, + "cve": "PVE-2021-34211", "id": "pyup.io-34211", "specs": [ "<2.8.0rc5" @@ -13097,7 +17309,7 @@ }, { "advisory": "pootle before 2.8.0rc6 has multiple, undisclosed, security vulnerabilites that were found during an audit.", - "cve": null, + "cve": "PVE-2021-34790", "id": "pyup.io-34790", "specs": [ "<2.8.0rc6" @@ -13106,7 +17318,7 @@ }, { "advisory": "pootle before 2.7.3 is vulnerable to XSS attacks, so everybody with Pootle 2.7.x needs to upgrade.", - "cve": null, + "cve": "PVE-2021-34201", "id": "pyup.io-34201", "specs": [ ">=2.6,<2.7.3" @@ -13114,10 +17326,21 @@ "v": ">=2.6,<2.7.3" } ], + "portray": [ + { + "advisory": "Portray 1.6.0 updates the minimum version of the 'mkdocs-material' to 7.0.0 to address a security concerns in earlier versions.", + "cve": "PVE-2021-40138", + "id": "pyup.io-40138", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" + } + ], "postfix-mta-sts-resolver": [ { "advisory": "Postfix-mta-sts-resolver 0.6.1 hardens the container security.", - "cve": null, + "cve": "PVE-2021-37461", "id": "pyup.io-37461", "specs": [ "<0.6.1" @@ -13128,7 +17351,7 @@ "prefect": [ { "advisory": "Prefect 0.12.6 removes password from Postgres tasks' initialization methods for security.", - "cve": null, + "cve": "PVE-2021-38663", "id": "pyup.io-38663", "specs": [ "<0.12.6" @@ -13137,7 +17360,7 @@ }, { "advisory": "Prefect 0.5.1 bumps `distributed` to 1.26.1 for enhanced security features - [878].", - "cve": null, + "cve": "PVE-2021-37020", "id": "pyup.io-37020", "specs": [ "<0.5.1" @@ -13148,7 +17371,7 @@ "pretaweb.healthcheck": [ { "advisory": "pretaweb.healthcheck before 1.0 is vulnerable to DoS attacks.", - "cve": null, + "cve": "PVE-2021-26016", "id": "pyup.io-26016", "specs": [ "<1.0" @@ -13159,7 +17382,7 @@ "priority": [ { "advisory": "priority before 1.2.0 is vulnerable to a denial of service attack whereby a remote peer can cause a user to insert an unbounded number of streams into the priority tree, eventually consuming all available memory.", - "cve": null, + "cve": "PVE-2021-26017", "id": "pyup.io-26017", "specs": [ "<1.2.0" @@ -13167,6 +17390,37 @@ "v": "<1.2.0" } ], + "prisma-cloud-pipeline": [ + { + "advisory": "Prisma-cloud-pipeline 0.1.3 updates pyyaml because it has a vulnerability.", + "cve": "PVE-2021-39686", + "id": "pyup.io-39686", + "specs": [ + "<0.1.3" + ], + "v": "<0.1.3" + } + ], + "privacyidea": [ + { + "advisory": "Privacyidea 3.4.1 uses a secure way to compare strings to avoid theoretical side channel attacks.", + "cve": "PVE-2021-39341", + "id": "pyup.io-39341", + "specs": [ + "<3.4.1" + ], + "v": "<3.4.1" + }, + { + "advisory": "Privacyidea 3.6 includes more secure configuration defaults.", + "cve": "PVE-2021-40970", + "id": "pyup.io-40970", + "specs": [ + "<3.6" + ], + "v": "<3.6" + } + ], "products-cmfcore": [ { "advisory": "Products-cmfcore 2.1.0beta2 adds POST-only protections to security critical methods. See: CVE-2007-0240.", @@ -13181,7 +17435,7 @@ "products-ploneformgen": [ { "advisory": "products-ploneformgen before 1.8.1 has a XSS vulnerability that could be exploited by users with the ability\r\n to create forms.", - "cve": null, + "cve": "PVE-2021-35878", "id": "pyup.io-35878", "specs": [ "<1.8.1" @@ -13192,7 +17446,7 @@ "products-zopetree": [ { "advisory": "Products-zopetree 1.3 fixes a security hole in the tree state decompressing mechanism. Previous versions were vulnerable to a denial of service attack using large tree states.", - "cve": null, + "cve": "PVE-2021-37726", "id": "pyup.io-37726", "specs": [ "<1.3" @@ -13203,7 +17457,7 @@ "products.cmfcontentpanels": [ { "advisory": "products.cmfcontentpanels before 1.4.1 has two not disclosed security issues.", - "cve": null, + "cve": "PVE-2021-26020", "id": "pyup.io-26020", "specs": [ "<1.4.1" @@ -13223,7 +17477,7 @@ }, { "advisory": "Products.cmfcore 2.3.0beta tightens the security for anonymous test user.", - "cve": null, + "cve": "PVE-2021-35818", "id": "pyup.io-35818", "specs": [ "<2.3.0beta" @@ -13234,7 +17488,7 @@ "products.cmfplone": [ { "advisory": "In Products.CMFPlone before 5.1b1, it's possible to access private content via str.format in through-the-web templates and scripts.", - "cve": null, + "cve": "PVE-2021-32997", "id": "pyup.io-32997", "specs": [ "<5.1b1" @@ -13243,7 +17497,7 @@ }, { "advisory": "Products.cmfplone 5.2.2 contains Products.isurlinportal 1.1.0 with a minor security hardening fix.", - "cve": null, + "cve": "PVE-2021-38701", "id": "pyup.io-38701", "specs": [ "<5.2.2" @@ -13252,7 +17506,7 @@ }, { "advisory": "Products.cmfplone 5.2.2rc1 fixes that isURLInPortal could be tricked into accepting malicious links.", - "cve": null, + "cve": "PVE-2021-39021", "id": "pyup.io-39021", "specs": [ "<5.2.2rc1" @@ -13263,7 +17517,7 @@ "products.cmfquickinstallertool": [ { "advisory": "products.cmfquickinstallertool before 3.0.14 is vulnerable to several cross site scripting (XSS) attacks.", - "cve": null, + "cve": "PVE-2021-26021", "id": "pyup.io-26021", "specs": [ "<3.0.14" @@ -13293,10 +17547,21 @@ "v": "<2.1.0beta2" } ], + "products.genericsetup": [ + { + "advisory": "Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic Setup Tool. The problem has been fixed in version 2.1.1. Depending on how you have installed Products.GenericSetup, you should change the buildout version pin to 2.1.1 and re-run the buildout, or if you used pip simply do pip install `\"Products.GenericSetup>=2.1.1\"`.", + "cve": "CVE-2021-21360", + "id": "pyup.io-39685", + "specs": [ + "<2.1.1" + ], + "v": "<2.1.1" + } + ], "products.ldapuserfolder": [ { "advisory": "The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.", - "cve": null, + "cve": "PVE-2021-33148", "id": "pyup.io-33148", "specs": [ "<2.19" @@ -13316,7 +17581,7 @@ "products.ploneformgen": [ { "advisory": "products.ploneformgen before 1.8.1 is vulnerable to a XSS attack that could be exploited by users with the ability to create forms.", - "cve": null, + "cve": "PVE-2021-26024", "id": "pyup.io-26024", "specs": [ "<1.8.1" @@ -13335,10 +17600,48 @@ "v": ">3.2.2,<3.9" } ], + "products.pluggableauthservice": [ + { + "advisory": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an information disclosure vulnerability - everyone can list the names of roles defined in the ZODB Role Manager plugin if the site uses this plugin. The problem has been fixed in version 2.6.0. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to 2.6.0 and re-run the buildout, or if you used pip simply do `pip install \"Products.PluggableAuthService>=2.6.0\"`.", + "cve": "CVE-2021-21336", + "id": "pyup.io-39681", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + }, + { + "advisory": "Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install \"Products.PluggableAuthService>=2.6.1\".", + "cve": "CVE-2021-21337", + "id": "pyup.io-39682", + "specs": [ + "<2.6.0" + ], + "v": "<2.6.0" + }, + { + "advisory": "Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.", + "cve": "CVE-2021-33507", + "id": "pyup.io-39695", + "specs": [ + "<2.6.2" + ], + "v": "<2.6.2" + }, + { + "advisory": "Products.pluggableauthservice 2.6.3 fixes CSRF token access for tigher TAL path expression security in Zope 5.2.1.", + "cve": "PVE-2021-40631", + "id": "pyup.io-40631", + "specs": [ + "<2.6.3" + ], + "v": "<2.6.3" + } + ], "products.poi": [ { "advisory": "products.poi before 2.2.3 allows anonymous users to see issues inside private folders.", - "cve": null, + "cve": "PVE-2021-26027", "id": "pyup.io-26027", "specs": [ "<2.2.3" @@ -13346,10 +17649,48 @@ "v": "<2.2.3" } ], + "projen": [ + { + "advisory": "Projen 0.3.10 inlcudes a fix for a security issue with standard-version 8.0.0.", + "cve": "PVE-2021-39417", + "id": "pyup.io-39417", + "specs": [ + "<0.3.10" + ], + "v": "<0.3.10" + }, + { + "advisory": "Projen 0.7.0 addresses a security issue with standard-version 8.0.0.", + "cve": "PVE-2021-39416", + "id": "pyup.io-39416", + "specs": [ + "<0.7.0" + ], + "v": "<0.7.0" + }, + { + "advisory": "Projen 0.8.0 addresses a security issue with standard-version 8.0.0.", + "cve": "PVE-2021-39415", + "id": "pyup.io-39415", + "specs": [ + "<0.8.0" + ], + "v": "<0.8.0" + }, + { + "advisory": "Projen 0.9.0 addresses a security issue with standard-version 8.0.0.", + "cve": "PVE-2021-39414", + "id": "pyup.io-39414", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], "psd-tools": [ { "advisory": "Psd-tools 1.8.31 updates `pillow` dependency to >= 6.2.0 for security reasons.", - "cve": null, + "cve": "PVE-2021-38525", "id": "pyup.io-38525", "specs": [ "<1.8.31" @@ -13358,7 +17699,7 @@ }, { "advisory": "Psd-tools 1.9.4 fixes a security issue related to compression in 1.8.37 - 1.9.3.", - "cve": null, + "cve": "PVE-2021-37654", "id": "pyup.io-37654", "specs": [ ">=1.8.37,<=1.9.3" @@ -13366,6 +17707,17 @@ "v": ">=1.8.37,<=1.9.3" } ], + "psiz": [ + { + "advisory": "Psiz 0.4.1 updates the 'TensorFlow' requirement to address a vulnerability in 2.3.0.", + "cve": "PVE-2021-40498", + "id": "pyup.io-40498", + "specs": [ + "<0.4.1" + ], + "v": "<0.4.1" + } + ], "psutil": [ { "advisory": "psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. See CVE-2019-18874.", @@ -13380,7 +17732,7 @@ "ptah": [ { "advisory": "ptah before 0.3.3 is vulnerable to a undisclosed attack.", - "cve": null, + "cve": "PVE-2021-26028", "id": "pyup.io-26028", "specs": [ "<0.3.3" @@ -13388,9 +17740,31 @@ "v": "<0.3.3" } ], + "puccini": [ + { + "advisory": "Puccini 0.3 improves file output security.", + "cve": "PVE-2021-40026", + "id": "pyup.io-40026", + "specs": [ + "<0.3" + ], + "v": "<0.3" + } + ], + "pulpcore": [ + { + "advisory": "Pulpcore 3.11.0 adds the 'ALLOWED_CONTENT_CHECKSUMS' setting to remove 'md5' and 'sha1' since they are not secure. Now, by default, the 'ALLOWED_CONTENT_CHECKSUMS' contain 'sha224', 'sha256', 'sha384', and 'sha512'.", + "cve": "PVE-2021-40315", + "id": "pyup.io-40315", + "specs": [ + "<3.11.0" + ], + "v": "<3.11.0" + } + ], "pulumi-kubernetes": [ { - "advisory": "Pulumi-kubernetes 2.6.0 upgrades its version of pyyaml to fix a security vulnerability. See: CVE-2019-20477.", + "advisory": "Pulumi-kubernetes 2.6.0 includes a fix for CVE-2019-20477: PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.", "cve": "CVE-2019-20477", "id": "pyup.io-38772", "specs": [ @@ -13402,7 +17776,7 @@ "puput": [ { "advisory": "Puput 1.0.4 update the Django version to greater than 2.1.6 to fix security issues.", - "cve": null, + "cve": "PVE-2021-37153", "id": "pyup.io-37153", "specs": [ "<1.0.4" @@ -13410,33 +17784,94 @@ "v": "<1.0.4" } ], - "pure": [ + "pupyl": [ { - "advisory": "pure 1.5.2 prevents double prompt expansion in preprompt (e.g. secure against bad git branch names)", - "cve": null, - "id": "pyup.io-36940", + "advisory": "Pupyl 0.10.4 includes a security update regarding its dependencies. No details are provided.", + "cve": "PVE-2021-39208", + "id": "pyup.io-39208", "specs": [ - "<1.5.2" + "<0.10.4" ], - "v": "<1.5.2" - } - ], - "pwd": [ + "v": "<0.10.4" + }, { - "advisory": "pwd is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, - "id": "pyup.io-34983", + "advisory": "Pupyl 0.10.5 updated its dependencies version for security reasons.", + "cve": "PVE-2021-39392", + "id": "pyup.io-39392", "specs": [ - ">0", - "<0" + "<0.10.5" ], - "v": ">0,<0" - } - ], - "pwman3": [ + "v": "<0.10.5" + }, { - "advisory": "pwman3 before 0.4.0 uses cPickle.loads and cPickle.dumps.", - "cve": null, + "advisory": "Pupyl before 0.10.6 includes Tensorflow 2.3.1 which has security issues (see issue 73) and should therefore be upgraded to 2.4.0. However, the last version of Tensorflow has issues on its compilation (see Tensorflow issue 45744), and hence must be downgraded to ensure that the library still works.", + "cve": "PVE-2021-39400", + "id": "pyup.io-39400", + "specs": [ + "<0.10.6" + ], + "v": "<0.10.6" + }, + { + "advisory": "Pupyl 0.11.1 updates the 'Tensorflow' underlying dependency to the latest version due to a security flaw in versions previous to 2.5.0.", + "cve": "PVE-2021-40931", + "id": "pyup.io-40931", + "specs": [ + "<0.11.1" + ], + "v": "<0.11.1" + } + ], + "purdy": [ + { + "advisory": "Purdy 1.8.0 updates minimum dependency version for the 'Pygments' dependency due to an security advisory.", + "cve": "PVE-2021-40435", + "id": "pyup.io-40435", + "specs": [ + "<1.8.0" + ], + "v": "<1.8.0" + } + ], + "pure": [ + { + "advisory": "pure 1.5.2 prevents double prompt expansion in preprompt (e.g. secure against bad git branch names)", + "cve": "PVE-2021-36940", + "id": "pyup.io-36940", + "specs": [ + "<1.5.2" + ], + "v": "<1.5.2" + } + ], + "pushradar": [ + { + "advisory": "Pushradar 3.0.0alpha.2 includes a patch to make the channel authentication more secure.", + "cve": "PVE-2021-39630", + "id": "pyup.io-39630", + "specs": [ + "<3.0.0alpha.2", + "<3.0.0a2" + ], + "v": "<3.0.0alpha.2,<3.0.0a2" + } + ], + "pwd": [ + { + "advisory": "pwd is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", + "cve": "PVE-2021-34983", + "id": "pyup.io-34983", + "specs": [ + ">0", + "<0" + ], + "v": ">0,<0" + } + ], + "pwman3": [ + { + "advisory": "pwman3 before 0.4.0 uses cPickle.loads and cPickle.dumps.", + "cve": "PVE-2021-26029", "id": "pyup.io-26029", "specs": [ "<0.4.0" @@ -13444,6 +17879,37 @@ "v": "<0.4.0" } ], + "pwntools": [ + { + "advisory": "The shellcraft generator in pwntools before 4.3.1 is vulnerable to Server-Side Template Injection (SSTI), which can lead to remote code execution. See CVE-2020-28468.", + "cve": "CVE-2020-28468", + "id": "pyup.io-39426", + "specs": [ + "<4.3.1" + ], + "v": "<4.3.1" + }, + { + "advisory": "Pwntools 4.3.1 fixes a shellcraft SSTI vulnerability.", + "cve": "PVE-2021-39204", + "id": "pyup.io-39204", + "specs": [ + "<4.3.1" + ], + "v": "<4.3.1" + } + ], + "py": [ + { + "advisory": "A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality. See CVE-2020-29651.", + "cve": "CVE-2020-29651", + "id": "pyup.io-39253", + "specs": [ + "<=1.9.0" + ], + "v": "<=1.9.0" + } + ], "py-bcrypt": [ { "advisory": "The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. See: CVE-2013-1895.", @@ -13458,7 +17924,7 @@ "py-ci": [ { "advisory": "Py-ci 0.5.2 upgrades versions of requests and jinja2 due to security alerts. See: .", - "cve": null, + "cve": "PVE-2021-37333", "id": "pyup.io-37333", "specs": [ "<0.5.2" @@ -13469,7 +17935,7 @@ "py-crypto-hd-wallet": [ { "advisory": "Py-crypto-hd-wallet 0.2.0 removes the possibility to load a wallet from file. This did not make a lot of sense because saving a wallet to file in JSON format is only meant for a quick and temporary storing of keys, not as a definitive and secure way to store it. For storing a wallet for future loading, it'd make more sense to just store the mnemonic, seed or extended key (depending how the wallet was generated) instead of the complete key chain by adding some security (e.g. crypting the file). This can be done by the user directly, in the way he prefers, with the APIs that are present now.", - "cve": null, + "cve": "PVE-2021-38175", "id": "pyup.io-38175", "specs": [ "<0.2.0" @@ -13480,7 +17946,7 @@ "py-espeak-ng": [ { "advisory": "py-espeak-ng 1.49.0 fixes many logic and security issues reported by clang scan-build, Coverity and msvc /analyze.", - "cve": null, + "cve": "PVE-2021-36322", "id": "pyup.io-36322", "specs": [ "<1.49.0" @@ -13491,7 +17957,7 @@ "py-gfm": [ { "advisory": "Py-gfm version 0.28.3.gfm.12 includes various security and bug fixes.", - "cve": null, + "cve": "PVE-2021-38621", "id": "pyup.io-38621", "specs": [ "<0.28.3.gfm.12" @@ -13510,10 +17976,21 @@ "v": "<5.0.0" } ], + "py-mon": [ + { + "advisory": "Py-mon 1.18.7 upgrades pstree to remove a vulnerability. See: .", + "cve": "PVE-2021-39345", + "id": "pyup.io-39345", + "specs": [ + "<1.18.7" + ], + "v": "<1.18.7" + } + ], "py-ms": [ { "advisory": "py-ms 1.0.1 replaces Jaeger with Lightstep - improved security.", - "cve": null, + "cve": "PVE-2021-36875", "id": "pyup.io-36875", "specs": [ "<1.0.1" @@ -13524,7 +18001,7 @@ "py-nightscout": [ { "advisory": "Py-nightscout 0.10.2 updates Node to 8.9.1, with security fixes.", - "cve": null, + "cve": "PVE-2021-38662", "id": "pyup.io-38662", "specs": [ "<0.10.2" @@ -13533,7 +18010,7 @@ }, { "advisory": "Py-nightscout 0.10.3 includes many upgrades to dependencies, including several security fixes.", - "cve": null, + "cve": "PVE-2021-38661", "id": "pyup.io-38661", "specs": [ "<0.10.3" @@ -13542,7 +18019,7 @@ }, { "advisory": "Py-nightscout 0.11.0 includes various security updates:\r\n- Unsecure access via http is not allowed anymore by default. \r\n- The 'mqtt' module was removed because it had a security issue and was not used.\r\n- The 'sgvdata' module was removed because it had a security issue.\r\n- Various updates to dependencies with known security issues.\r\n- Nightscout is now only allowed to start with a secure Node JS. \r\n- General improved security and new environment variables such as INSECURE_USE_HTTP and SECURE_HSTS_HEADER.\r\n - HTTP Strict Transport Security (HSTS) headers are now enabled by default, settings SECURE_HSTS_HEADER and SECURE_HSTS_HEADER_*.", - "cve": null, + "cve": "PVE-2021-38660", "id": "pyup.io-38660", "specs": [ "<0.11.0" @@ -13551,7 +18028,7 @@ }, { "advisory": "Py-nightscout 0.11.1 sticks to 'event-stream' version 3.3.4, because with 4.0.1 GitHub will issue a security warning.", - "cve": null, + "cve": "PVE-2021-38659", "id": "pyup.io-38659", "specs": [ "<0.11.1" @@ -13560,7 +18037,7 @@ }, { "advisory": "Py-nightscout 0.12.0 includes many dependency updates for security reasons.", - "cve": null, + "cve": "PVE-2021-38658", "id": "pyup.io-38658", "specs": [ "<0.12.0" @@ -13569,7 +18046,7 @@ }, { "advisory": "Py-nightscout 13.0.0 introduces the new APIv3, which generally provides a secured and HTTP REST compliant interface for Nightscout's data exchange.", - "cve": null, + "cve": "PVE-2021-38657", "id": "pyup.io-38657", "specs": [ "<13.0.0" @@ -13580,7 +18057,7 @@ "py-rate": [ { "advisory": "The luigi functionality before py-rate 0.3.0 was reported as vulnerable.", - "cve": null, + "cve": "PVE-2021-37312", "id": "pyup.io-37312", "specs": [ "<0.3.0" @@ -13588,10 +18065,21 @@ "v": "<0.3.0" } ], + "py-steamcmd-wrapper": [ + { + "advisory": "Py-steamcmd-wrapper 1.0.6 includes a security fix for the 'urllib3' underlying dependency.", + "cve": "PVE-2021-40780", + "id": "pyup.io-40780", + "specs": [ + "<1.0.6" + ], + "v": "<1.0.6" + } + ], "py3web": [ { "advisory": "py3web before 0.21 isn't checking for bad characters in headers.", - "cve": null, + "cve": "PVE-2021-32919", "id": "pyup.io-32919", "specs": [ "<0.21" @@ -13602,7 +18090,7 @@ "pyamf": [ { "advisory": "pyamf 0.8 fixes a security issue and now wrappes all xml parsing in ``defusedxml`` to protect against any XML entity attacks. See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. Thanks to Nicolas Gr\u00e9goire (Agarri_FR) for the report.", - "cve": null, + "cve": "PVE-2021-34622", "id": "pyup.io-34622", "specs": [ "<0.8" @@ -13624,7 +18112,7 @@ "pyarmor": [ { "advisory": "pyarmor 5.1.2 Improves the security of PyArmor self", - "cve": null, + "cve": "PVE-2021-36853", "id": "pyup.io-36853", "specs": [ "<5.1.2" @@ -13635,7 +18123,7 @@ "pybald": [ { "advisory": "Pybald 0.5.6 updates SQLAlchemy dependency to 1.3.3 to mitigate a security issue with SQLAlchemy verstions <= 1.3.0.", - "cve": null, + "cve": "PVE-2021-37104", "id": "pyup.io-37104", "specs": [ "<0.5.6" @@ -13646,7 +18134,7 @@ "pybeerxml": [ { "advisory": "Pybeerxml 1.0.8 bumps some dependency versions for security fixes.", - "cve": null, + "cve": "PVE-2021-38251", "id": "pyup.io-38251", "specs": [ "<1.0.8" @@ -13657,7 +18145,7 @@ "pybible-cli": [ { "advisory": "Version 1.1.2: Bible pickle files have been replaced by JSON files for better performance and security.", - "cve": null, + "cve": "PVE-2021-38043", "id": "pyup.io-38043", "specs": [ "<1.1.2" @@ -13665,10 +18153,21 @@ "v": "<1.1.2" } ], + "pyca": [ + { + "advisory": "Pyca 3.3 includes a configurable, random delay for ingests to avoid accidental DDoS attacks.", + "cve": "PVE-2021-39215", + "id": "pyup.io-39215", + "specs": [ + "<3.3" + ], + "v": "<3.3" + } + ], "pycapnp": [ { "advisory": "pycapnp before 0.5.5 bundled an insecure library (libcapnp).", - "cve": null, + "cve": "PVE-2021-26030", "id": "pyup.io-26030", "specs": [ "<0.5.5" @@ -13679,7 +18178,7 @@ "pycapnp-async": [ { "advisory": "Pycapnp-async 0.5.4 updates the bundled C++ libcapnp to v0.5.1.1 security release.", - "cve": null, + "cve": "PVE-2021-37586", "id": "pyup.io-37586", "specs": [ "<0.5.4" @@ -13688,7 +18187,7 @@ }, { "advisory": "Pycapnp-async 0.5.5 updates the bundled C++ libcapnp to v0.5.1.2 security release.", - "cve": null, + "cve": "PVE-2021-37585", "id": "pyup.io-37585", "specs": [ "<0.5.5" @@ -13710,7 +18209,7 @@ "pycln": [ { "advisory": "Pycln 0.0.1alpha.3 mentions: \"C wrapped modules import star expanding related vulnerability by hadialqattan\"", - "cve": null, + "cve": "PVE-2021-38857", "id": "pyup.io-38857", "specs": [ "<0.0.1alpha.3" @@ -13721,7 +18220,7 @@ "pyconll": [ { "advisory": "pyconll 1.1.0 updates ``requests`` dependency due to security flaw", - "cve": null, + "cve": "PVE-2021-36647", "id": "pyup.io-36647", "specs": [ "<1.1.0" @@ -13730,7 +18229,7 @@ }, { "advisory": "pyconll before 1.1.2 the ``requests`` version used in ``requirements.txt`` was insecure.", - "cve": null, + "cve": "PVE-2021-36763", "id": "pyup.io-36763", "specs": [ "<1.1.2" @@ -13741,7 +18240,7 @@ "pycookiecheat": [ { "advisory": "Pycookiecheat 0.2.0 makes SQL query more secure by avoiding string formatting.", - "cve": null, + "cve": "PVE-2021-26729", "id": "pyup.io-26729", "specs": [ "<0.2.0" @@ -13758,10 +18257,21 @@ "v": "<0.4.5" } ], + "pycrtsh": [ + { + "advisory": "Pycrtsh 0.3.4 upgrades the 'lxml' dependency from 4.5.1 to 4.6.2 following a security bug.", + "cve": "PVE-2021-40087", + "id": "pyup.io-40087", + "specs": [ + "<0.3.4" + ], + "v": "<0.3.4" + } + ], "pycryptex": [ { "advisory": "Pycryptex 0.5.0 adds new config keys (***secure-deletion*** and ***secure-deletion-passes***) to set securely deletion of clear files in encryption operations.", - "cve": null, + "cve": "PVE-2021-39109", "id": "pyup.io-39109", "specs": [ "<0.5.0" @@ -13772,7 +18282,7 @@ "pycrypto": [ { "advisory": "In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group. However, in PyCrypto 2.5 and earlier, g is more simply the generator of a random sub-group of Z^*_p.", - "cve": null, + "cve": "PVE-2021-26032", "id": "pyup.io-26032", "specs": [ "<2.6" @@ -13780,18 +18290,18 @@ "v": "<2.6" }, { - "advisory": "The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.", - "cve": "CVE-2013-1445", - "id": "pyup.io-33150", + "advisory": "lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.", + "cve": "CVE-2018-6594", + "id": "pyup.io-35765", "specs": [ "<2.6.1" ], "v": "<2.6.1" }, { - "advisory": "lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.", - "cve": "CVE-2018-6594", - "id": "pyup.io-35765", + "advisory": "The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.", + "cve": "CVE-2013-1445", + "id": "pyup.io-33150", "specs": [ "<2.6.1" ], @@ -13810,7 +18320,7 @@ "pycryptodome": [ { "advisory": "pycryptodome before 3.6.6 has a vulnerability on AESNI ECB with payloads smaller than 16 bytes.", - "cve": null, + "cve": "PVE-2021-36384", "id": "pyup.io-36384", "specs": [ "<3.6.6" @@ -13832,7 +18342,7 @@ "pydal": [ { "advisory": "pydal before 15.02.27 has a security flaw which could lead to db password storing in cache.", - "cve": null, + "cve": "PVE-2021-33022", "id": "pyup.io-33022", "specs": [ "<15.02.27" @@ -13840,10 +18350,39 @@ "v": "<15.02.27" } ], + "pydantic": [ + { + "advisory": "In affected versions of of Pydantic passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic) soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you absolutely can't upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/) to catch these values. This is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.", + "cve": "CVE-2021-29510", + "id": "pyup.io-40442", + "specs": [ + ">=1.6.0a1,<1.6.2" + ], + "v": ">=1.6.0a1,<1.6.2" + }, + { + "advisory": "In affected versions of Pydantic passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic) soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you absolutely can't upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/) to catch these values. This is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.", + "cve": "CVE-2021-29510", + "id": "pyup.io-40441", + "specs": [ + ">=1.7.0a1,<1.7.4" + ], + "v": ">=1.7.0a1,<1.7.4" + }, + { + "advisory": "In affected versions of Pydantic passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic) soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you absolutely can't upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/) to catch these values. This is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.", + "cve": "CVE-2021-29510", + "id": "pyup.io-40440", + "specs": [ + ">=1.8.0a1,<1.8.2" + ], + "v": ">=1.8.0a1,<1.8.2" + } + ], "pydotz": [ { "advisory": "pydotz 1.2.0 no longer has paths hard-coded due to security and privacy issues", - "cve": null, + "cve": "PVE-2021-37972", "id": "pyup.io-37972", "specs": [ "<1.2.0" @@ -13854,7 +18393,7 @@ "pyfda": [ { "advisory": "Pyfda 0.3.0 fixes an error when trying to load `*.npz` files: `numpy.load()` requires `allow_pickle = True` since version 1.16.3 for security reasons.", - "cve": null, + "cve": "PVE-2021-38164", "id": "pyup.io-38164", "specs": [ "<0.3.0" @@ -13865,7 +18404,7 @@ "pyforce": [ { "advisory": "Pyforce 1.8.0 fixes the external entities vulnerability #35.", - "cve": null, + "cve": "PVE-2021-38058", "id": "pyup.io-38058", "specs": [ "<1.8.0" @@ -13876,7 +18415,7 @@ "pyfrost": [ { "advisory": "Pyfrost 0.2.1 updates dependencies with security alerts.", - "cve": null, + "cve": "PVE-2021-38192", "id": "pyup.io-38192", "specs": [ "<0.2.1" @@ -13887,7 +18426,7 @@ "pyftpdlib": [ { "advisory": "pyftpdlib before 0.3.0 has a path traversal vulnerability in case of symbolic links escaping user's home directory.", - "cve": null, + "cve": "PVE-2021-26036", "id": "pyup.io-26036", "specs": [ "<0.3.0" @@ -13913,6 +18452,17 @@ "v": "<0.5.2" } ], + "pygopherd": [ + { + "advisory": "Pygopherd 0.9.0 includes several security enhancements. No details were included.", + "cve": "PVE-2021-39437", + "id": "pyup.io-39437", + "specs": [ + "<0.9.0" + ], + "v": "<0.9.0" + } + ], "pygresql": [ { "advisory": "The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.", @@ -13924,10 +18474,41 @@ "v": "<4.0" } ], + "pyhanko": [ + { + "advisory": "Pyhanko 0.3.0 no longer uses the homegrown 'RC4' class, which is not secure.", + "cve": "PVE-2021-40478", + "id": "pyup.io-40478", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], + "pyhf": [ + { + "advisory": "Pyhf 0.6.2 starts to use PyYAML's 'safe_load' for better security.", + "cve": "PVE-2021-40822", + "id": "pyup.io-40822", + "specs": [ + "<0.6.2" + ], + "v": "<0.6.2" + } + ], "pyinaturalist": [ + { + "advisory": "Pyinaturalist 0.7 includes minor dependency updates for security reasons.", + "cve": "PVE-2021-39616", + "id": "pyup.io-39616", + "specs": [ + "<0.7" + ], + "v": "<0.7" + }, { "advisory": "Pyinaturalist 0.7.0 includes minor dependencies updates for security reasons.", - "cve": null, + "cve": "PVE-2021-37127", "id": "pyup.io-37127", "specs": [ "<0.7.0" @@ -13938,7 +18519,7 @@ "pyinstaller": [ { "advisory": "Pyinstaller 3.5 updates the bundled zlib library to version 1.2.11 to address vulnerabilities.", - "cve": null, + "cve": "PVE-2021-39153", "id": "pyup.io-39153", "specs": [ "<3.5" @@ -13947,9 +18528,18 @@ } ], "pyjwt": [ + { + "advisory": "Pyjwt 1.0.0 includes a fix for security vulnerability where 'alg=None' header could bypass signature verification (https://github.com/jpadilla/pyjwt/pull/109) and adding support for a whitelist of allowed 'alg' values 'jwt.decode(algorithms=[])' (https://github.com/jpadilla/pyjwt/pull/110).", + "cve": "PVE-2021-39458", + "id": "pyup.io-39458", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, { "advisory": "pyjwt before 1.0.0 allows to bypass signature verification by setting the alg header to None.", - "cve": null, + "cve": "PVE-2021-26040", "id": "pyup.io-26040", "specs": [ "<1.0.0" @@ -13958,7 +18548,7 @@ }, { "advisory": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.", - "cve": null, + "cve": "PVE-2021-35014", "id": "pyup.io-35014", "specs": [ "<1.5.1" @@ -13991,7 +18581,7 @@ "pylabnet": [ { "advisory": "Servers in pylabnet before version 0.3.0 were not secure by default.", - "cve": null, + "cve": "PVE-2021-38667", "id": "pyup.io-38667", "specs": [ "<0.3.0" @@ -14002,7 +18592,7 @@ "pyldap": [ { "advisory": "pyldap before 2.0.0pre05 is using an insecure transitive dependency (ldapurl).", - "cve": null, + "cve": "PVE-2021-26041", "id": "pyup.io-26041", "specs": [ "<2.0.0pre05" @@ -14013,18 +18603,27 @@ "pylint": [ { "advisory": "Pylint 2.5.0 no longer allows ``python -m pylint ...`` to import user code. Previously, it added the current working directory as the first element of ``sys.path``. This opened up a potential security hole where ``pylint`` would import user level code as long as that code resided in modules having the same name as stdlib or pylint's own modules.", - "cve": null, + "cve": "PVE-2021-38224", "id": "pyup.io-38224", "specs": [ "<2.5.0" ], "v": "<2.5.0" + }, + { + "advisory": "Pylint 2.7.0 includes a fix for vulnerable regular expressions in 'pyreverse'.", + "cve": "PVE-2021-39621", + "id": "pyup.io-39621", + "specs": [ + "<2.7.0" + ], + "v": "<2.7.0" } ], "pylivetrader": [ { "advisory": "Pylivetrader 0.2.0 changes the yaml config loading to use the safe loading. This is a security fix.", - "cve": null, + "cve": "PVE-2021-38294", "id": "pyup.io-38294", "specs": [ "<0.2.0" @@ -14035,7 +18634,7 @@ "pylons": [ { "advisory": "pylons before 0.9.6.1 allows to access private controller methods to be accessed from the outside.", - "cve": null, + "cve": "PVE-2021-26042", "id": "pyup.io-26042", "specs": [ "<0.9.6.1" @@ -14044,7 +18643,7 @@ }, { "advisory": "pylons before 0.9.7 is vulnerable to a XSS attack on the default error page.", - "cve": null, + "cve": "PVE-2021-26043", "id": "pyup.io-26043", "specs": [ "<0.9.7" @@ -14053,7 +18652,7 @@ }, { "advisory": "pylons before 1.0.1RC1 is vulnerable to timing attacks on secure cookies.", - "cve": null, + "cve": "PVE-2021-26044", "id": "pyup.io-26044", "specs": [ "<1.0.1RC1" @@ -14062,7 +18661,7 @@ }, { "advisory": "pylons before 1.0.1rc1 is vulnerable to cookie timing attacks.", - "cve": null, + "cve": "PVE-2021-26045", "id": "pyup.io-26045", "specs": [ "<1.0.1rc1" @@ -14071,7 +18670,7 @@ }, { "advisory": "pylons before 1.0.2 includes \"Post Traceback\" which is a possible XSS vector.", - "cve": null, + "cve": "PVE-2021-26046", "id": "pyup.io-26046", "specs": [ "<1.0.2" @@ -14079,10 +18678,21 @@ "v": "<1.0.2" } ], + "pyloot": [ + { + "advisory": "Pyloot 0.0.6 updates several vulnerable dependencies.", + "cve": "PVE-2021-40798", + "id": "pyup.io-40798", + "specs": [ + "<0.0.6" + ], + "v": "<0.0.6" + } + ], "pymemcache": [ { "advisory": "pymemcache before 1.3.6 isn't sanitizing key inputs.", - "cve": null, + "cve": "PVE-2021-26047", "id": "pyup.io-26047", "specs": [ "<1.3.6" @@ -14103,7 +18713,7 @@ ], "pymisp": [ { - "advisory": "Pymisp 2.4.106 fixes CVE-2019-11324 (urllib3).", + "advisory": "Pymisp 2.4.106 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-37292", "specs": [ @@ -14113,7 +18723,7 @@ }, { "advisory": "Pymisp v2.4.67 includes a security fix: do not try to load any valid path as a MISP Event.\r\n\r\nThe MISP Event loader was trying to open any string passed as parameter if is an existing file path. Anything that isn't a valid MISP event would raise an exception, but I can see it used for malicious purposes.\r\n\r\n`load_file` will do the same, but the user can decide if it is safe to use.", - "cve": null, + "cve": "PVE-2021-38507", "id": "pyup.io-38507", "specs": [ "<2.4.67" @@ -14146,7 +18756,7 @@ "pynoorm": [ { "advisory": "pynoorm 0.4.2 updates PyYaml to 4.2b4 to fix security vulnerability", - "cve": null, + "cve": "PVE-2021-36789", "id": "pyup.io-36789", "specs": [ "<0.4.2" @@ -14157,7 +18767,7 @@ "pynps": [ { "advisory": "Pynps 1.2.0 removes support for search after updating database for security reasons.", - "cve": null, + "cve": "PVE-2021-37724", "id": "pyup.io-37724", "specs": [ "<1.2.0" @@ -14168,7 +18778,7 @@ "pyoes": [ { "advisory": "pyoes 0.9.0 change: Libs updaten - security alert", - "cve": null, + "cve": "PVE-2021-37254", "id": "pyup.io-37254", "specs": [ "<0.9.0" @@ -14176,6 +18786,17 @@ "v": "<0.9.0" } ], + "pyomo": [ + { + "advisory": "Pyomo 5.7.2 fixes a security risk in GitHub Actions workflow (issue 1654).", + "cve": "PVE-2021-39315", + "id": "pyup.io-39315", + "specs": [ + "<5.7.2" + ], + "v": "<5.7.2" + } + ], "pyopenssl": [ { "advisory": "The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.", @@ -14187,18 +18808,18 @@ "v": "<0.13.1" }, { - "advisory": "Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.", - "cve": "CVE-2018-1000807", - "id": "pyup.io-36533", + "advisory": "Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.", + "cve": "CVE-2018-1000808", + "id": "pyup.io-36534", "specs": [ "<17.5.0" ], "v": "<17.5.0" }, { - "advisory": "Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted.", - "cve": "CVE-2018-1000808", - "id": "pyup.io-36534", + "advisory": "Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.", + "cve": "CVE-2018-1000807", + "id": "pyup.io-36533", "specs": [ "<17.5.0" ], @@ -14208,7 +18829,7 @@ "pyorient": [ { "advisory": "pyorient before 1.4.9 has an SQL injection attack vector, exploitable in one location and potentially a few more, that allowed an attacker to change the WHERE clause in a query and cause it to return unexpected results", - "cve": null, + "cve": "PVE-2021-34150", "id": "pyup.io-34150", "specs": [ "<1.4.9" @@ -14219,7 +18840,7 @@ "pyowm": [ { "advisory": "pyowm 2.10 upgrades version for dependencies `requests` and `urllib3` as known security issues were raised for them.", - "cve": null, + "cve": "PVE-2021-36750", "id": "pyup.io-36750", "specs": [ "<2.10" @@ -14230,7 +18851,7 @@ "pypicloud": [ { "advisory": "pypicloud before 0.2.2 is vulnerable to a undisclosed attack.", - "cve": null, + "cve": "PVE-2021-26048", "id": "pyup.io-26048", "specs": [ "<0.2.2" @@ -14241,7 +18862,7 @@ "pypiserver": [ { "advisory": "pypiserver before 1.1.7 is vulnerable to XSS attacks.", - "cve": null, + "cve": "PVE-2021-26049", "id": "pyup.io-26049", "specs": [ "<1.1.7" @@ -14250,7 +18871,7 @@ }, { "advisory": "pypiserver 1.2.6 mitigates potential CRLF injection attacks from malicious URLs", - "cve": null, + "cve": "PVE-2021-36843", "id": "pyup.io-36843", "specs": [ "<1.2.6" @@ -14261,7 +18882,7 @@ "pyplanet": [ { "advisory": "pyplanet 0.6.2 - security: Upgraded library to solve security issues (requests library).", - "cve": null, + "cve": "PVE-2021-36666", "id": "pyup.io-36666", "specs": [ "<0.6.2" @@ -14270,7 +18891,7 @@ }, { "advisory": "Pyplanet 0.7.0 updates some libraries to fix some security issues (none of which were critical).", - "cve": null, + "cve": "PVE-2021-37476", "id": "pyup.io-37476", "specs": [ "<0.7.0" @@ -14278,10 +18899,41 @@ "v": "<0.7.0" } ], + "pypostalcode": [ + { + "advisory": "Pypostalcode 0.3.5 fixes an SQL injection vulnerability (passing user input FSA codes could delete your FSA code database).", + "cve": "PVE-2021-40033", + "id": "pyup.io-40033", + "specs": [ + "<0.3.5" + ], + "v": "<0.3.5" + }, + { + "advisory": "Pypostalcode 0.3.6 fixes an SQL injection vulnerability (passing user input FSA codes could delete your FSA code database).", + "cve": "PVE-2021-40813", + "id": "pyup.io-40813", + "specs": [ + "<0.3.6" + ], + "v": "<0.3.6" + } + ], + "pyqlib": [ + { + "advisory": "This affects all versions of package pyqlib. The workflow function in cli part of pyqlib was using an unsafe YAML load function. See CVE-2021-23338.", + "cve": "CVE-2021-23338", + "id": "pyup.io-40060", + "specs": [ + ">=0.0.0" + ], + "v": ">=0.0.0" + } + ], "pyrad": [ { "advisory": "pyrad before 0.6 isn't handling timeouts in client module correctly, leading to a potential denial of service.", - "cve": null, + "cve": "PVE-2021-26050", "id": "pyup.io-26050", "specs": [ "<0.6" @@ -14292,7 +18944,7 @@ "pyradiomics": [ { "advisory": "pyradiomics before 1.1.1 used `eval`which is not secure.", - "cve": null, + "cve": "PVE-2021-36302", "id": "pyup.io-36302", "specs": [ "<1.1.1" @@ -14303,7 +18955,7 @@ "pyramid": [ { "advisory": "Pyramid 0.2 adds ACL-based security.", - "cve": null, + "cve": "PVE-2021-32177", "id": "pyup.io-32177", "specs": [ "<0.2" @@ -14312,7 +18964,7 @@ }, { "advisory": "Pyramid 0.4.2 changes the default paster template generator to use ``Paste#http`` server rather than ``PasteScript#cherrpy`` server. The cherrypy server has a security risk in it when ``REMOTE_USER`` is trusted by the downstream application.", - "cve": null, + "cve": "PVE-2021-32184", "id": "pyup.io-32184", "specs": [ "<0.4.2" @@ -14321,7 +18973,7 @@ }, { "advisory": "In pyramid before 1.0a3, the pylons_* paster template used the same string (``your_app_secret_string``) for the ``session.secret`` setting in the generated ``development.ini``. This was a security risk if left unchanged in a project that used one of the templates to produce production applications. It now uses a randomly generated string.", - "cve": null, + "cve": "PVE-2021-32685", "id": "pyup.io-32685", "specs": [ "<1.0a3" @@ -14330,7 +18982,7 @@ }, { "advisory": "The default Mako renderer in pyramid 1.1a1 is configured to escape all HTML in expression tags. This is intended to help prevent XSS attacks caused by rendering unsanitized input from users. To revert this behavior in user's templates, they need to filter the expression through the 'n' filter. For example, ${ myhtml | n }. See .", - "cve": null, + "cve": "PVE-2021-32194", "id": "pyup.io-32194", "specs": [ "<1.1a1" @@ -14339,7 +18991,7 @@ }, { "advisory": "The AuthTktAuthenticationPolicy in pyramid before 1.3a1 did not use a timing-attack-aware string comparator. See https://github.com/Pylons/pyramid/pull/320 for more info.", - "cve": null, + "cve": "PVE-2021-32688", "id": "pyup.io-32688", "specs": [ "<1.3a1" @@ -14348,7 +19000,7 @@ }, { "advisory": "In pyramid 1.4a4 the ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to support newer hashing algorithms such as ``sha512``. Existing applications should consider updating if possible for improved security over the default md5 hashing.", - "cve": null, + "cve": "PVE-2021-32201", "id": "pyup.io-32201", "specs": [ "<1.4a4" @@ -14357,7 +19009,7 @@ }, { "advisory": "Pyramid 1.6a1 improves robustness to timing attacks in the ``AuthTktCookieHelper`` and the ``SignedCookieSessionFactory`` classes by using the stdlib's ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+). See: . Also, it avoids timing attacks against CSRF tokens. See: .", - "cve": null, + "cve": "PVE-2021-32203", "id": "pyup.io-32203", "specs": [ "<1.6a1" @@ -14377,7 +19029,7 @@ "pyramid-odesk": [ { "advisory": "pyramid-odesk before 1.1.2 performs logins and logouts through GET and is vulnerable to CSRF attacks.", - "cve": null, + "cve": "PVE-2021-26051", "id": "pyup.io-26051", "specs": [ "<1.1.2" @@ -14388,7 +19040,7 @@ "pyramid-weblayer": [ { "advisory": "pyramid-weblayer before 0.12 does not protect AJAX requests through the CSRF machinery.", - "cve": null, + "cve": "PVE-2021-26052", "id": "pyup.io-26052", "specs": [ "<0.12" @@ -14410,7 +19062,7 @@ "pyro4": [ { "advisory": "pyro4 before 4.72 is not secure because the HMAC encryption key used with the -k command line option is plainly visible.\r\nUpgrade to 4.72 to show warnings when attempting this. In future use Pyro's 2-way SSL feature or alternatively set the HMAC key in the (new) environment variable PYRO_HMAC_KEY", - "cve": null, + "cve": "PVE-2021-36298", "id": "pyup.io-36298", "specs": [ "<4.72" @@ -14421,7 +19073,7 @@ "pyrocko": [ { "advisory": "Pyrocko 1.1.1 fixes a handler injection vulnerability.", - "cve": null, + "cve": "PVE-2021-38937", "id": "pyup.io-38937", "specs": [ "<1.1.1" @@ -14431,7 +19083,7 @@ ], "pyrotools": [ { - "advisory": "Pyrotools before 1.0.1 updates requirements.txt to make sure urllib3 is a safe version. See CVE-2019-11324.", + "advisory": "Pyrotools 1.0.1 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-37086", "specs": [ @@ -14443,7 +19095,7 @@ "pysam": [ { "advisory": "pysam 0.11.2 wraps htslib/samtools/bcfools versions 1.4.1 in response to a security fix in these libraries", - "cve": null, + "cve": "PVE-2021-34332", "id": "pyup.io-34332", "specs": [ "<0.11.2" @@ -14480,13 +19132,22 @@ "v": "<5.0.0" }, { - "advisory": "pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.", - "cve": "CVE-2017-1000433", - "id": "pyup.io-35700", + "advisory": "PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0. See CVE-2021-21239.", + "cve": "CVE-2021-21239", + "id": "pyup.io-39498", "specs": [ - "<=4.4.0" + "<6.5.0" ], - "v": "<=4.4.0" + "v": "<6.5.0" + }, + { + "advisory": "PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML Signature wrapping because it did not validate the SAML document against an XML schema. This allowed invalid XML documents to be processed and such a document can trick pysaml2 with a wrapped signature. This is fixed in PySAML2 6.5.0. See CVE-2021-21238.", + "cve": "CVE-2021-21238", + "id": "pyup.io-39497", + "specs": [ + "<6.5.0" + ], + "v": "<6.5.0" }, { "advisory": "Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data.", @@ -14496,12 +19157,21 @@ "<=4.4.0" ], "v": "<=4.4.0" + }, + { + "advisory": "pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.", + "cve": "CVE-2017-1000433", + "id": "pyup.io-35700", + "specs": [ + "<=4.4.0" + ], + "v": "<=4.4.0" } ], "pysandbox": [ { "advisory": "pysandbox before 1.0.2 allows access to several dict methods.", - "cve": null, + "cve": "PVE-2021-26053", "id": "pyup.io-26053", "specs": [ "<1.0.2" @@ -14510,7 +19180,7 @@ }, { "advisory": "pysandbox before 1.0.3 allows access to dict.__init__().", - "cve": null, + "cve": "PVE-2021-26054", "id": "pyup.io-26054", "specs": [ "<1.0.3" @@ -14519,7 +19189,7 @@ }, { "advisory": "pysandbox before 1.5 has several security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-26055", "id": "pyup.io-26055", "specs": [ "<1.5" @@ -14528,7 +19198,7 @@ }, { "advisory": "pysandbox before 1.6 isn't setting __builtins__ to readonly when execute() is used.", - "cve": null, + "cve": "PVE-2021-26056", "id": "pyup.io-26056", "specs": [ "<1.6" @@ -14539,7 +19209,7 @@ "pysbd": [ { "advisory": "Pysbd 0.3.0rc includes an upgrade of bleach to address a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38404", "id": "pyup.io-38404", "specs": [ "<0.3.0rc" @@ -14572,7 +19242,7 @@ "pyspf": [ { "advisory": "Pyspf 2.0.1 prevents cache poisoning attacks and malformed RR attacks.", - "cve": null, + "cve": "PVE-2021-37431", "id": "pyup.io-37431", "specs": [ "<2.0.1" @@ -14580,10 +19250,54 @@ "v": "<2.0.1" } ], + "pysstv": [ + { + "advisory": "Pysstv 0.5 bumps the 'Pillow' dependency version to avoid security vulnerabilities.", + "cve": "PVE-2021-40228", + "id": "pyup.io-40228", + "specs": [ + "<0.5" + ], + "v": "<0.5" + } + ], + "pytablewriter": [ + { + "advisory": "Pytablewriter 0.47.0 adding support to escape formula injection.", + "cve": "PVE-2021-41000", + "id": "pyup.io-41000", + "specs": [ + "<0.47.0" + ], + "v": "<0.47.0" + } + ], + "pytask": [ + { + "advisory": "Pytask 0.0.7 fixes error that 'outputdirectory' has to be relative to latex document due to security problems.", + "cve": "PVE-2021-41011", + "id": "pyup.io-41011", + "specs": [ + "<0.0.7" + ], + "v": "<0.0.7" + } + ], + "pytask-latex": [ + { + "advisory": "Pytask-latex 0.0.7 ensures that 'outputdirectory' is relative to the latex document to address security problems.", + "cve": "PVE-2021-39658", + "id": "pyup.io-39658", + "specs": [ + "<0.0.7" + ], + "v": "<0.0.7" + } + ], "pytest-aoc": [ { "advisory": "pytest-aoc 1.2a6 removes security misfeature: no cookies inside setup.cfg.", - "cve": null, + "cve": "PVE-2021-37267", "id": "pyup.io-37267", "specs": [ "<1.2a6" @@ -14594,7 +19308,7 @@ "pytest-devpi-server": [ { "advisory": "pytest-devpi-server before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26059", "id": "pyup.io-26059", "specs": [ "<1.1.0" @@ -14605,7 +19319,7 @@ "pytest-git": [ { "advisory": "pytest-git before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26060", "id": "pyup.io-26060", "specs": [ "<1.1.0" @@ -14616,7 +19330,7 @@ "pytest-profiling": [ { "advisory": "pytest-profiling before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26061", "id": "pyup.io-26061", "specs": [ "<1.1.0" @@ -14627,7 +19341,7 @@ "pytest-qt-app": [ { "advisory": "pytest-qt-app before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26062", "id": "pyup.io-26062", "specs": [ "<1.1.0" @@ -14638,7 +19352,7 @@ "pytest-server-fixtures": [ { "advisory": "pytest-server-fixtures before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26063", "id": "pyup.io-26063", "specs": [ "<1.1.0" @@ -14649,7 +19363,7 @@ "pytest-shutil": [ { "advisory": "pytest-shutil before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26064", "id": "pyup.io-26064", "specs": [ "<1.1.0" @@ -14660,7 +19374,7 @@ "pytest-verbose-parametrize": [ { "advisory": "pytest-verbose-parametrize before 1.1.0 uses a subshell in workspace.run.", - "cve": null, + "cve": "PVE-2021-26065", "id": "pyup.io-26065", "specs": [ "<1.1.0" @@ -14718,6 +19432,26 @@ ], "v": "<2.7.12,>=3.0,<3.4.5,>=3.5,<3.5.2" }, + { + "advisory": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "cve": "CVE-2021-3426", + "id": "pyup.io-40512", + "specs": [ + "<3.8.9", + ">=3.9.0,<3.9.3", + ">=3.10.0,<3.10.0a7" + ], + "v": "<3.8.9,>=3.9.0,<3.9.3,>=3.10.0,<3.10.0a7" + }, + { + "advisory": "Python 3.9.5 includes a fix for CVE-2021-29921: In Python before 3.9.5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.", + "cve": "CVE-2021-29921", + "id": "pyup.io-40409", + "specs": [ + "<3.9.5" + ], + "v": "<3.9.5" + }, { "advisory": "The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.", "cve": "CVE-2011-4940", @@ -14762,6 +19496,15 @@ ], "v": ">=2.7,<2.7.3,>=3.2,<3.2.3,>=3.1,<3.1.5,<2.6.8" }, + { + "advisory": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. See: CVE-2021-3177.", + "cve": "CVE-2021-3177", + "id": "pyup.io-39465", + "specs": [ + ">=3.0.0,<=3.9.1" + ], + "v": ">=3.0.0,<=3.9.1" + }, { "advisory": "The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.", "cve": "CVE-2012-2135", @@ -14780,12 +19523,24 @@ ">=2.7,<2.7.2" ], "v": ">=3.2,<3.2.1,>=2.7,<2.7.2" + }, + { + "advisory": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.", + "cve": "CVE-2021-23336", + "id": "pyup.io-39619", + "specs": [ + ">=3.7.0,<3.7.10", + ">=3.8.0,<3.8.8", + ">=3.9.0,<3.9.2", + "<3.6.13" + ], + "v": ">=3.7.0,<3.7.10,>=3.8.0,<3.8.8,>=3.9.0,<3.9.2,<3.6.13" } ], "python-augeas": [ { "advisory": "python-augeas before 1.0.0 is vulnerable to cross-mountpoint and symlink attacks.", - "cve": null, + "cve": "PVE-2021-26077", "id": "pyup.io-26077", "specs": [ "<1.0.0" @@ -14827,7 +19582,7 @@ "python-clu": [ { "advisory": "Python-clu 0.5.1 removes an insecure Django requirement.", - "cve": null, + "cve": "PVE-2021-37800", "id": "pyup.io-37800", "specs": [ "<0.5.1" @@ -14837,18 +19592,18 @@ ], "python-dbusmock": [ { - "advisory": "python-dbusmock before 0.15.1 is vulnerable to a tempfile attack. When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories.", - "cve": null, - "id": "pyup.io-26080", + "advisory": "Python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. See CVE-2015-1326.", + "cve": "CVE-2015-1326", + "id": "pyup.io-37088", "specs": [ "<0.15.1" ], "v": "<0.15.1" }, { - "advisory": "Python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file. See CVE-2015-1326.", - "cve": "CVE-2015-1326", - "id": "pyup.io-37088", + "advisory": "python-dbusmock before 0.15.1 is vulnerable to a tempfile attack. When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files. By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories.", + "cve": "PVE-2021-26080", + "id": "pyup.io-26080", "specs": [ "<0.15.1" ], @@ -14869,7 +19624,7 @@ "python-engineio": [ { "advisory": "Python-engineio 3.5.2 removes a security alert in the requirements.", - "cve": null, + "cve": "PVE-2021-37168", "id": "pyup.io-37168", "specs": [ "<3.5.2" @@ -14878,7 +19633,7 @@ }, { "advisory": "Python-engineio 3.9.0 addresses potential websocket cross-origin attacks. See: .", - "cve": null, + "cve": "PVE-2021-37307", "id": "pyup.io-37307", "specs": [ "<3.9.0" @@ -14931,7 +19686,7 @@ "python-jss": [ { "advisory": "Python-jss 2.1.0 updates the `urllib3` dependency to mitigate a vulnerability.", - "cve": null, + "cve": "PVE-2021-38564", "id": "pyup.io-38564", "specs": [ "<2.1.0" @@ -14960,18 +19715,18 @@ "v": "<1.5.4,>=2.0,<2.3.3" }, { - "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass. See: CVE-2013-2166.", - "cve": "CVE-2013-2166", - "id": "pyup.io-37748", + "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass", + "cve": "CVE-2013-2167", + "id": "pyup.io-37749", "specs": [ ">=0.2.3,<=0.2.5" ], "v": ">=0.2.3,<=0.2.5" }, { - "advisory": "python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass. See CVE-2013-2167.", - "cve": "CVE-2013-2167", - "id": "pyup.io-37749", + "advisory": "Python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass.", + "cve": "CVE-2013-2166", + "id": "pyup.io-37748", "specs": [ ">=0.2.3,<=0.2.5" ], @@ -14987,12 +19742,21 @@ "<0.6.3" ], "v": "<0.6.3" + }, + { + "advisory": "Python-libnmap 0.7.2 adds unittest for defusedxml to fix billionlaugh and external entities security issues. It also includes a fix for security issue on XXE (XML External Entities). See: CVE-2019-1010017.", + "cve": "CVE-2019-1010017", + "id": "pyup.io-39304", + "specs": [ + "<0.7.2" + ], + "v": "<0.7.2" } ], "python-libtorrent": [ { "advisory": "python-libtorrent before 1.0.6 has several undisclosed vulnerabilities related to uTP.", - "cve": null, + "cve": "PVE-2021-26084", "id": "pyup.io-26084", "specs": [ "<1.0.6" @@ -15015,7 +19779,7 @@ "python-nomad": [ { "advisory": "Python-nomad 1.0.1 updates `Requests` to 2.20.0. Earlier versions of `Requests` sent an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.", - "cve": null, + "cve": "PVE-2021-36602", "id": "pyup.io-36602", "specs": [ "<1.0.1" @@ -15026,7 +19790,7 @@ "python-openflow": [ { "advisory": "python-openflow 2016.1.a1 fixes a undisclosed security vulnerability.", - "cve": null, + "cve": "PVE-2021-33282", "id": "pyup.io-33282", "specs": [ "<2016.1.a1" @@ -15035,7 +19799,7 @@ }, { "advisory": "python-openflow 2019.1b3 change: Updated dependencies versions in order to fix security bugs.", - "cve": null, + "cve": "PVE-2021-37224", "id": "pyup.io-37224", "specs": [ "<2019.1b3" @@ -15046,7 +19810,7 @@ "python-otr": [ { "advisory": "python-otr before 1.1.0 is vulnerable to man-in-the-middle attacks as it allows to restart the protocol.", - "cve": null, + "cve": "PVE-2021-26086", "id": "pyup.io-26086", "specs": [ "<1.1.0" @@ -15057,7 +19821,7 @@ "python-picnic": [ { "advisory": "Python-picnic 1.2 prevents a seed-guessing attack by adding a per-signature salt to random tapes generation.", - "cve": null, + "cve": "PVE-2021-38681", "id": "pyup.io-38681", "specs": [ "<1.2" @@ -15068,7 +19832,7 @@ "python-pptx": [ { "advisory": "python-pptx before 0.6.12 used a vulnerable version of Pillow.", - "cve": null, + "cve": "PVE-2021-36382", "id": "pyup.io-36382", "specs": [ "<0.6.12" @@ -15079,7 +19843,7 @@ "python-saml": [ { "advisory": "python-saml before 2.1.6 is vulnerable to Signature Wrapping attacks.", - "cve": null, + "cve": "PVE-2021-26087", "id": "pyup.io-26087", "specs": [ "<2.1.6" @@ -15088,7 +19852,7 @@ }, { "advisory": "python-saml before 2.1.9 is vulnerable to Signature Wrapping attacks.", - "cve": null, + "cve": "PVE-2021-26088", "id": "pyup.io-26088", "specs": [ "<2.1.9" @@ -15103,12 +19867,21 @@ "<2.4.0" ], "v": "<2.4.0" + }, + { + "advisory": "Python-saml 2.5.0 includes security improvements to prevent XPath injection.", + "cve": "PVE-2021-39452", + "id": "pyup.io-39452", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" } ], "python-secrets": [ { "advisory": "Python-secrets 0.9.1 adds ``six`` for securing ``input`` call.", - "cve": null, + "cve": "PVE-2021-37582", "id": "pyup.io-37582", "specs": [ "<0.9.1" @@ -15117,7 +19890,7 @@ }, { "advisory": "Python-secrets before 19.10.0 adds control of umask for better file perm security.", - "cve": null, + "cve": "PVE-2021-37583", "id": "pyup.io-37583", "specs": [ "<19.10.0" @@ -15126,7 +19899,7 @@ }, { "advisory": "Python-secrets before 19.8.0 adds insecure permissions checking", - "cve": null, + "cve": "PVE-2021-37401", "id": "pyup.io-37401", "specs": [ "<19.8.0" @@ -15135,7 +19908,7 @@ }, { "advisory": "Python-secrets 19.8.3 ensures more secure permissions.", - "cve": null, + "cve": "PVE-2021-37421", "id": "pyup.io-37421", "specs": [ "<19.8.3" @@ -15157,7 +19930,7 @@ "python-socketio": [ { "advisory": "Python-socketio 4.3.0 addresses potential websocket cross-origin attacks. See: .", - "cve": null, + "cve": "PVE-2021-37308", "id": "pyup.io-37308", "specs": [ "<4.3.0" @@ -15168,7 +19941,7 @@ "python-zeep": [ { "advisory": "python-zeep 0.4.0 adds defusedxml module for XML security issues.", - "cve": null, + "cve": "PVE-2021-36504", "id": "pyup.io-36504", "specs": [ "<0.4.0" @@ -15179,7 +19952,7 @@ "python3-ldap": [ { "advisory": "python3-ldap before 0.9.5.4 has a security issue in lazy connections.", - "cve": null, + "cve": "PVE-2021-26089", "id": "pyup.io-26089", "specs": [ "<0.9.5.4" @@ -15190,7 +19963,7 @@ "python3-saml": [ { "advisory": "python3-saml before 1.1.4 is vulnerable to signature wrapping attacks.", - "cve": null, + "cve": "PVE-2021-26090", "id": "pyup.io-26090", "specs": [ "<1.1.4" @@ -15199,7 +19972,7 @@ }, { "advisory": "python3-saml 1.2.0 introduces several undisclosed security improvements.", - "cve": null, + "cve": "PVE-2021-26091", "id": "pyup.io-26091", "specs": [ "<1.2.0" @@ -15223,12 +19996,21 @@ "<1.4.0" ], "v": "<1.4.0" + }, + { + "advisory": "Python3-saml 1.5.0 contains security improvements to prevent XPath injection. It also disables DTD on the fromstring defusedxml method.", + "cve": "PVE-2021-39454", + "id": "pyup.io-39454", + "specs": [ + "<1.5.0" + ], + "v": "<1.5.0" } ], "pytorch-lightning": [ { "advisory": "Pytorch-lightning 0.9.0 fixes a shell injection vulnerability in a subprocess call.", - "cve": null, + "cve": "PVE-2021-38707", "id": "pyup.io-38707", "specs": [ "<0.9.0" @@ -15239,7 +20021,7 @@ "pytrackdat": [ { "advisory": "Pytrackdat 0.2.0 validates the security of the administrator passwords.", - "cve": null, + "cve": "PVE-2021-37141", "id": "pyup.io-37141", "specs": [ "<0.2.0" @@ -15250,7 +20032,7 @@ "pytsite": [ { "advisory": "pytsite before 1.2 has a critical web login security issue.", - "cve": null, + "cve": "PVE-2021-34825", "id": "pyup.io-34825", "specs": [ "<1.2" @@ -15261,7 +20043,7 @@ "pyu4v": [ { "advisory": "Pyu4v 9.1.2.0 introduced the option to create a secure snapshot by means of `create_storage_group_snapshot`.", - "cve": null, + "cve": "PVE-2021-37914", "id": "pyup.io-37914", "specs": [ "<9.1.2.0" @@ -15272,7 +20054,7 @@ "pyupdater": [ { "advisory": "pyupdater before 0.20.0 is vulnerable to session fixation attacks and potentially cookie stealing.", - "cve": null, + "cve": "PVE-2021-26092", "id": "pyup.io-26092", "specs": [ "<0.20.0" @@ -15292,7 +20074,7 @@ }, { "advisory": "Pyvcloud 20.1.0 includes a fix for a pyyaml vulnerability found in requirements.txt", - "cve": null, + "cve": "PVE-2021-37518", "id": "pyup.io-37518", "specs": [ "<20.1.0" @@ -15303,7 +20085,7 @@ "pyvisa": [ { "advisory": "pyvisa before 0.9 has a undisclosed security vulnerability in visa.py.", - "cve": null, + "cve": "PVE-2021-26093", "id": "pyup.io-26093", "specs": [ "<0.9" @@ -15314,7 +20096,7 @@ "pywbem": [ { "advisory": "pywbem 0.13.0 increases the minimum required versions dependent Python\r\n packages in order to fix security issues with these packages.", - "cve": null, + "cve": "PVE-2021-36927", "id": "pyup.io-36927", "specs": [ "<0.13.0" @@ -15323,7 +20105,7 @@ }, { "advisory": "Pywbem 0.14.3 updates the following packages to address security vulnerabilities:\r\n\r\n* requests from 2.19.1 to 2.20.1 (when on Python 2.7 or higher)\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", - "cve": null, + "cve": "PVE-2021-38577", "id": "pyup.io-38577", "specs": [ "<0.14.3" @@ -15332,7 +20114,7 @@ }, { "advisory": "Pywbem 0.17.0 changes the HTTPS support of `pywbem.WBEMListener` from using the deprecated `ssl.wrap_socket()` function to using the `ssl.SSLContext` class that was introduced in Python 2.7.9. This causes more secure SSL settings to be used. On Python versions before 2.7.9, pywbem will continue to use the deprecated `ssl.wrap_socket()` function.", - "cve": null, + "cve": "PVE-2021-38576", "id": "pyup.io-38576", "specs": [ "<0.17.0" @@ -15341,7 +20123,7 @@ }, { "advisory": "Pywbem 1.0.0 increases versions of the following packages to address security vulnerabilities:\r\n* requests from 2.19.1 to 2.20.1\r\n* urllib3 from 1.22 to 1.23\r\n* bleach from 2.1.0 to 2.1.4", - "cve": null, + "cve": "PVE-2021-37517", "id": "pyup.io-37517", "specs": [ "<1.0.0" @@ -15350,18 +20132,36 @@ }, { "advisory": "To address security vulnerabilities, pywbem 1.0.0b1 increases the versions of requests (from 2.19.1 to 2.20.1), urllib3 (from 1.22 to 1.23), and bleach (from 2.1.0 to 2.1.4). These packages are only used for development of pywbem.\r\n\r\nAlso, pywbem 1.0.0b1 changes the HTTPS support of `pywbem.WBEMListener` from using the deprecated `ssl.wrap_socket()` function to using the `ssl.SSLContext` class that was introduced in Python 2.7.9. This causes more secure SSL settings to be used. On Python versions before 2.7.9, pywbem will continue to use the deprecated `ssl.wrap_socket()` function.", - "cve": null, + "cve": "PVE-2021-38444", "id": "pyup.io-38444", "specs": [ "<1.0.0b1" ], "v": "<1.0.0b1" + }, + { + "advisory": "Pywbem 1.2.0 increases minimum version of the 'PyYAML' to 5.2 on Python 3.4 and to 5.3.1 on Python 2.7 and >=3.5, minimum version of the 'urllib3' to 1.24.2 on Python 3.4 and to 1.25.9 on Python 2.7 and >=3.5, minimum version of the 'requests' to 2.20.1 on Python 3.4 and to 2.22.0 on Python 2.7 and >=3.5 to address security issues reported by Safety.", + "cve": "PVE-2021-40314", + "id": "pyup.io-40314", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + }, + { + "advisory": "Pywbem 1.2.0.dev1 increases the minimum version of 'PyYAML' to 5.2 on Python 3.4 and to 5.3.1 on Python 2.7 and >=3.5 to address security issues (- the relevant functions of PyYAML are not used by pywbem, though.) \r\n\r\nAdditionally, pywbem 1.2.0.dev1 increases the minimum version of 'urllib3' to 1.24.2 on Python 3.4 and to 1.25.9 on Python 2.7 and >=3.5 to address security issues. To support these versions of urllib3, the minimum version of\r\n'requests' was increased to 2.20.1 on Python 3.4 and to 2.22.0 on Python 2.7 and >=3.5.\r\n\r\nLastly, pywbem 1.2.0.dev1 increases the minimum versions of several other packages that are needed only for test or development of pywbem to address security issues. In particular: requests-toolbelt to 0.8.0; lxml to 4.6.2 (except for Python 3.4); pylint to 2.5.2 and astroid to 2.4.0 on Python >=3.5; typed-ast to 1.3.2 on Python 3.4; twine to 3.0.0 on Python >=3.6; pkginfo to 1.4.2; bleach to 3.1.2 on Python 3.4 and to 3.1.4 on Python 2.7 and Python >=3.5.", + "cve": "PVE-2021-39383", + "id": "pyup.io-39383", + "specs": [ + "<1.2.0.dev1" + ], + "v": "<1.2.0.dev1" } ], "pywbemtools": [ { "advisory": "Pywbemtools 0.6.0 increases the minimum versions of some packages used for development to address security issues: twine, bleach, urllib3.", - "cve": null, + "cve": "PVE-2021-38169", "id": "pyup.io-38169", "specs": [ "<0.6.0" @@ -15372,7 +20172,7 @@ "pywebsite": [ { "advisory": "pywebsite 0.1.14pre's signed_url method is now (more) immune to VS timing attacks.", - "cve": null, + "cve": "PVE-2021-26094", "id": "pyup.io-26094", "specs": [ "<0.1.14pre" @@ -15381,7 +20181,7 @@ }, { "advisory": "pywebsite before 0.1.9pre is vulnerable to length extension attacks, and value equivalence attacks.", - "cve": null, + "cve": "PVE-2021-26095", "id": "pyup.io-26095", "specs": [ "<0.1.9pre" @@ -15392,12 +20192,21 @@ "pywikibot": [ { "advisory": "Pywikibot 3.0.20181203 require requests version 2.20.0 or later for security reasons.", - "cve": null, + "cve": "PVE-2021-38151", "id": "pyup.io-38151", "specs": [ "<3.0.20181203" ], "v": "<3.0.20181203" + }, + { + "advisory": "Pywikibot 6.1.0 starts to require the 'Pillow' >=8.1.1 due to a known vulnerability.", + "cve": "PVE-2021-40579", + "id": "pyup.io-40579", + "specs": [ + "<6.1.0" + ], + "v": "<6.1.0" } ], "pywren-ibm-cloud": [ @@ -15423,7 +20232,7 @@ "pyxmlsecurity": [ { "advisory": "pyxmlsecurity 0.9 protects against wrapping attacks.", - "cve": null, + "cve": "PVE-2021-26096", "id": "pyup.io-26096", "specs": [ "<0.9" @@ -15434,7 +20243,7 @@ "pyxnat": [ { "advisory": "Pyxnat 1.1.0.0 fixes a vulnerability by upgrading the `requests` package.", - "cve": null, + "cve": "PVE-2021-37196", "id": "pyup.io-37196", "specs": [ "<1.1.0.0" @@ -15462,7 +20271,16 @@ "v": "<5.3.1" }, { - "advisory": "CVE-2019-20477: PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.", + "advisory": "A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.", + "cve": "CVE-2020-14343", + "id": "pyup.io-39611", + "specs": [ + "<5.4" + ], + "v": "<5.4" + }, + { + "advisory": "PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.", "cve": "CVE-2019-20477", "id": "pyup.io-38639", "specs": [ @@ -15474,7 +20292,7 @@ "qi-jabberhelpdesk": [ { "advisory": "qi-jabberhelpdesk 0.30 includes unspecified security fixes, some vulnerable xml-rpc calls fixed. [ggozad]", - "cve": null, + "cve": "PVE-2021-36052", "id": "pyup.io-36052", "specs": [ "<0.30" @@ -15485,7 +20303,7 @@ "qi.jabberhelpdesk": [ { "advisory": "qi.jabberhelpdesk before 0.30 has several undisclosed vulnerabilities in xml-rpc calls.", - "cve": null, + "cve": "PVE-2021-26097", "id": "pyup.io-26097", "specs": [ "<0.30" @@ -15493,10 +20311,21 @@ "v": "<0.30" } ], + "qlib": [ + { + "advisory": "This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function. See CVE-2021-23338.", + "cve": "CVE-2021-23338", + "id": "pyup.io-39620", + "specs": [ + ">=0.0.0" + ], + "v": ">=0.0.0" + } + ], "quandl-fund-xlsx": [ { "advisory": "quandl-fund-xlsx 0.2.1 - Minor security fix, requests version now >=2.20.0", - "cve": null, + "cve": "PVE-2021-36655", "id": "pyup.io-36655", "specs": [ "<0.2.1" @@ -15504,10 +20333,30 @@ "v": "<0.2.1" } ], + "quart": [ + { + "advisory": "Quart 0.4.0 allows the request to be limited to prevent DOS attacks.", + "cve": "PVE-2021-39235", + "id": "pyup.io-39235", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + }, + { + "advisory": "Quart 0.5.0 refactors to mitigate DOS attacks.", + "cve": "PVE-2021-39234", + "id": "pyup.io-39234", + "specs": [ + "<0.5.0" + ], + "v": "<0.5.0" + } + ], "quilt": [ { "advisory": "quilt 2.9.14 updates urllib3 version for security patch", - "cve": null, + "cve": "PVE-2021-36749", "id": "pyup.io-36749", "specs": [ "<2.9.14" @@ -15518,7 +20367,7 @@ "quintagroup-seoptimizer": [ { "advisory": "quintagroup-seoptimizer 3.0.4 fixes a security issue for SEO Property action and view\r\n http://plone.org/products/plone-seo/issues/24", - "cve": null, + "cve": "PVE-2021-36006", "id": "pyup.io-36006", "specs": [ "<3.0.4" @@ -15529,7 +20378,7 @@ "quintagroup.seoptimizer": [ { "advisory": "quintagroup.seoptimizer before 3.0.4 has a security issue for SEO Property action and view.", - "cve": null, + "cve": "PVE-2021-26098", "id": "pyup.io-26098", "specs": [ "<3.0.4" @@ -15540,7 +20389,7 @@ "qurro": [ { "advisory": "The text boxes in qurro 0.4.0 describing the currently-selected numerator / denominator features are now \"read-only\" (you can't edit them while using Qurro). This should remove any vulnerability to accidental edits of these text boxes.", - "cve": null, + "cve": "PVE-2021-37374", "id": "pyup.io-37374", "specs": [ "<0.4.0" @@ -15551,7 +20400,7 @@ "qutebrowser": [ { "advisory": "Qutebrowser 1.0.3 ships with PyQt 5.9.1 and Qt 5.9.2 which includes security fixes from Chromium up to version 61.0.3163.79.", - "cve": null, + "cve": "PVE-2021-35044", "id": "pyup.io-35044", "specs": [ "<1.0.3" @@ -15560,7 +20409,7 @@ }, { "advisory": "Qutebrowser 1.1.2 ships with Qt 5.10.1 which includes security fixes from Chromium up to version 64.0.3282.140.", - "cve": null, + "cve": "PVE-2021-35786", "id": "pyup.io-35786", "specs": [ "<1.1.2" @@ -15576,9 +20425,18 @@ ], "v": "<1.11.1" }, + { + "advisory": "The Windows and macOS releases of Qutebrowser 1.14.1 ship Qt 5.15.2, which is based on Chromium 83.0.4103.122 with security fixes up to 86.0.4240.183. This includes CVE-2020-15999 in the bundled freetype library, which is known to be exploited in the wild.", + "cve": "CVE-2020-15999", + "id": "pyup.io-39227", + "specs": [ + "<1.14.1" + ], + "v": "<1.14.1" + }, { "advisory": "In qutebrowser 1.3.0, support for JavaScript Shared Web Workers has been disabled on Qt versions older than 5.11 because of security issues in Chromium. You can get the same effect in earlier versions via `:set qt.args ['disable-shared-workers']`. An equivalent workaround is also contained in Qt 5.9.5 and 5.10.1.", - "cve": null, + "cve": "PVE-2021-36929", "id": "pyup.io-36929", "specs": [ "<1.3.0" @@ -15596,7 +20454,7 @@ }, { "advisory": "Qutebrowser 1.4.0 ships with Qt 5.11.1 in the macOS and Windows releases, which are based on Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87. The security fix in v1.3.3 caused URLs with ampersands (`www.example.com?one=1&two=2`) to send the wrong arguments when clicked on the `qute://history` page.", - "cve": null, + "cve": "PVE-2021-36294", "id": "pyup.io-36294", "specs": [ "<1.4.0" @@ -15614,7 +20472,7 @@ }, { "advisory": "Qutebrowser 1.5.0 ships with Python 3.7, PyQt 5.11.3 and Qt 5.11.2. QtWebEngine includes security fixes up to Chromium 68.0.3440.75 and various other fixes.", - "cve": null, + "cve": "PVE-2021-36521", "id": "pyup.io-36521", "specs": [ "<1.5.0" @@ -15623,7 +20481,7 @@ }, { "advisory": "Qutebrowser 1.6.0 ships with Qt 5.12.1 which is based on Chromium 69.0.3497.128 with security fixes up to 71.0.3578.94.", - "cve": null, + "cve": "PVE-2021-36199", "id": "pyup.io-36199", "specs": [ "<1.6.0" @@ -15641,7 +20499,7 @@ }, { "advisory": "Qutebrowser 1.6.2 ships with Qt 5.12.3 in the macOS and Windows releases, which includes security fixes up to Chromium 73.0.3683.75.", - "cve": null, + "cve": "PVE-2021-37120", "id": "pyup.io-37120", "specs": [ "<1.6.2" @@ -15650,7 +20508,7 @@ }, { "advisory": "Qutebrowser 1.7.0 ships with Qt 5.12.4 in the macOS and Windows releases, which includes security fixes up to Chromium 74.0.3729.157.", - "cve": null, + "cve": "PVE-2021-37507", "id": "pyup.io-37507", "specs": [ "<1.7.0" @@ -15659,7 +20517,7 @@ }, { "advisory": "Qutebrowser 1.8.0 ships with Qt 5.13.0 and QtWebEngine 5.13.1 in the macOS releases (based on Chromium 73.0.3683.105), and Qt/QtWebEngine 5.12.5 in the Windows release (based on Chromium 69.0.3497.128), which both include security fixes up to Chromium 76.0.3809.87.", - "cve": null, + "cve": "PVE-2021-37506", "id": "pyup.io-37506", "specs": [ "<1.8.0" @@ -15668,7 +20526,7 @@ }, { "advisory": "Qutebrowser 1.8.1 ships with Qt/QtWebEngine 5.12.5 in the macOS and Windows releases, which are based on Chromium 69.0.3497.128 with security fixes up to Chromium 76.0.3809.87.", - "cve": null, + "cve": "PVE-2021-37511", "id": "pyup.io-37511", "specs": [ "<1.8.1" @@ -15688,7 +20546,7 @@ "radicale": [ { "advisory": "radicale before 1.1.2 is vulnerable to bruteforce attacks when using the htpasswd authentication method.", - "cve": null, + "cve": "PVE-2021-33323", "id": "pyup.io-33323", "specs": [ "<1.1.2" @@ -15699,7 +20557,7 @@ "raiden": [ { "advisory": "Raiden 0.10.0 fixes a security issue where an attacker could eavesdrop Matrix communications between two nodes in private rooms.", - "cve": null, + "cve": "PVE-2021-37316", "id": "pyup.io-37316", "specs": [ "<0.10.0" @@ -15708,7 +20566,7 @@ }, { "advisory": "The Monitoring Service database in raiden before 0.2.0 (before 0.100.5.dev0) is vulnerable to timing based Monitoring Request injection. See .", - "cve": null, + "cve": "PVE-2021-37364", "id": "pyup.io-37364", "specs": [ "<0.2.0", @@ -15718,7 +20576,7 @@ }, { "advisory": "Raiden 0.4.1 prevents DOS attacks and race conditions that caused client crashes.", - "cve": null, + "cve": "PVE-2021-38520", "id": "pyup.io-38520", "specs": [ "<0.4.1" @@ -15729,7 +20587,7 @@ "raiden-services": [ { "advisory": "In raiden-services before 0.2.0 , the Monitoring Service database was vulnerable to timing-based Monitoring Request injection. See: .", - "cve": null, + "cve": "PVE-2021-37317", "id": "pyup.io-37317", "specs": [ "<0.2.0" @@ -15740,7 +20598,7 @@ "ramlwrap": [ { "advisory": "Ramlwrap 2.2.2 updates PyYAML to a more secure version.", - "cve": null, + "cve": "PVE-2021-38298", "id": "pyup.io-38298", "specs": [ "<2.2.2" @@ -15748,6 +20606,17 @@ "v": "<2.2.2" } ], + "rapidtide": [ + { + "advisory": "Rapidtide 2.0.2 starts to require the 'Tensorflow' 2.4.0 or above to address a security issue.", + "cve": "PVE-2021-40991", + "id": "pyup.io-40991", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" + } + ], "rasa": [ { "advisory": "Rasa 1.10.0 updates the pyyaml dependency to 5.3.1 to fix CVE-2020-1747.", @@ -15757,6 +20626,15 @@ "<1.10.0" ], "v": "<1.10.0" + }, + { + "advisory": "The slack connector in rasa 2.1.0 changes the configuration for 'slack_signing_secret' to make the connector more secure (issue 7204). The configuration value needs to be added to your 'credentials.yml' if you are using the slack connector.", + "cve": "PVE-2021-39308", + "id": "pyup.io-39308", + "specs": [ + "<2.1.0" + ], + "v": "<2.1.0" } ], "rasa-sdk": [ @@ -15773,7 +20651,7 @@ "rauth": [ { "advisory": "rauth before 0.7.0 isn't using a secure random number generator.", - "cve": null, + "cve": "PVE-2021-26099", "id": "pyup.io-26099", "specs": [ "<0.7.0" @@ -15784,7 +20662,7 @@ "raylib": [ { "advisory": "Raylib 1.1.1 adds a security check if a file doesn't exist - [textures]", - "cve": null, + "cve": "PVE-2021-37166", "id": "pyup.io-37166", "specs": [ "<1.1.1" @@ -15793,7 +20671,7 @@ }, { "advisory": "Raylib 1.2 adds a security check in case deployed vertex excess buffer size - [rlgl]", - "cve": null, + "cve": "PVE-2021-37165", "id": "pyup.io-37165", "specs": [ "<1.2" @@ -15804,7 +20682,7 @@ "rchitect": [ { "advisory": "Rchitect 0.3.28 includes a new environment variable to stop reticulate code injection.", - "cve": null, + "cve": "PVE-2021-38971", "id": "pyup.io-38971", "specs": [ "<0.3.28" @@ -15812,10 +20690,21 @@ "v": "<0.3.28" } ], + "rdflib": [ + { + "advisory": "Rdflib 4.0 includes validation for URIRefs and Literal language tags on construction to avoiding some \"RDF-injection\" issues.", + "cve": "PVE-2021-41014", + "id": "pyup.io-41014", + "specs": [ + "<4.0" + ], + "v": "<4.0" + } + ], "rdiff-backup": [ { "advisory": "Version 0.5.0 increased rdiff-backup's security by using popen2.Popen3 and os.spawnvp instead of os.popen and os.system.", - "cve": null, + "cve": "PVE-2021-38068", "id": "pyup.io-38068", "specs": [ "<0.5.0" @@ -15824,7 +20713,7 @@ }, { "advisory": "Rdiff-backup 0.9.3 adds some security features to the protocol, so rdiff-backup will now only allow commands from remote connections. The extra security will be enabled automatically on the client (it knows what to expect), but\r\nthe extra switches --restrict, --restrict-update-only, and --restrict-read-only have been added for use with --server.", - "cve": null, + "cve": "PVE-2021-38067", "id": "pyup.io-38067", "specs": [ "<0.9.3" @@ -15833,7 +20722,7 @@ }, { "advisory": "Rdiff-backup 1.0.2 includes a fix for a spurious security violation from --create-full-path and a fix for bug 14545 which was introduced in version 1.0.1: Quoting caused a spurious security violation.", - "cve": null, + "cve": "PVE-2021-38064", "id": "pyup.io-38064", "specs": [ "<1.0.2" @@ -15842,7 +20731,7 @@ }, { "advisory": "Rdiff-backup 1.1.6 fixes a security violation when restoring from a remote repository.", - "cve": null, + "cve": "PVE-2021-38063", "id": "pyup.io-38063", "specs": [ "<1.1.6" @@ -15853,7 +20742,7 @@ "readsettings": [ { "advisory": "Readsettings 3.3.1 replaces `yaml.load` with the more secure, `yaml.safe_load`.", - "cve": null, + "cve": "PVE-2021-37027", "id": "pyup.io-37027", "specs": [ "<3.3.1" @@ -15872,10 +20761,21 @@ "v": "<=2.6.2" } ], + "refitt": [ + { + "advisory": "Refitt 0.16.5 updates dependencies with known vulnerabilities.", + "cve": "PVE-2021-40815", + "id": "pyup.io-40815", + "specs": [ + "<0.16.5" + ], + "v": "<0.16.5" + } + ], "remme": [ { "advisory": "remme 0.2.1alpha reviewed and fixed security issues on token operations.", - "cve": null, + "cve": "PVE-2021-36973", "id": "pyup.io-36973", "specs": [ "<0.2.1alpha" @@ -15895,7 +20795,7 @@ "rendertron": [ { "advisory": "Rendertron 3.0.0 fixes a security issue with AppEngine deployments.", - "cve": null, + "cve": "PVE-2021-38571", "id": "pyup.io-38571", "specs": [ "<3.0.0" @@ -15915,7 +20815,7 @@ }, { "advisory": "Renku 0.6.0 updates the werkzeug package due to security concerns - see https://github.com/SwissDataScienceCenter/renku-python/issues/633", - "cve": null, + "cve": "PVE-2021-37548", "id": "pyup.io-37548", "specs": [ "<0.6.0" @@ -15926,7 +20826,7 @@ "repobee": [ { "advisory": "Repobee 0.4.0 adds a strict security policy to prevent malicious code from executing.", - "cve": null, + "cve": "PVE-2021-38523", "id": "pyup.io-38523", "specs": [ "<0.4.0" @@ -15935,7 +20835,7 @@ }, { "advisory": "Repobee 1.3.2 uses git pull instead of git clone. This is a security update.", - "cve": null, + "cve": "PVE-2021-38522", "id": "pyup.io-38522", "specs": [ "<1.3.2" @@ -15944,7 +20844,7 @@ }, { "advisory": "Repobee 2.0.2 includes a fix that filters out secure token from `show-config` command output [92aa5cf08cc08d2647a9f22bb6ff120cd5a88360].", - "cve": null, + "cve": "PVE-2021-37383", "id": "pyup.io-37383", "specs": [ "<2.0.2" @@ -15961,12 +20861,30 @@ "<=3.5.26" ], "v": "<=3.5.26" + }, + { + "advisory": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF. See CVE-2020-28463.", + "cve": "CVE-2020-28463", + "id": "pyup.io-39642", + "specs": [ + ">=0.0" + ], + "v": ">=0.0" } ], "requests": [ { - "advisory": "requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect.\r\nFix CVE-2014-1829 and CVE-2014-1830 respectively.", - "cve": "CVE-2014-1829, CVE-2014-1830", + "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. This fixes CVE-2014-1830.", + "cve": "CVE-2014-1830", + "id": "pyup.io-39575", + "specs": [ + "<2.3.0" + ], + "v": "<2.3.0" + }, + { + "advisory": "Requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. See: CVE-2014-1829.", + "cve": "CVE-2014-1829", "id": "pyup.io-26101", "specs": [ "<2.3.0" @@ -15975,7 +20893,7 @@ }, { "advisory": "requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", - "cve": null, + "cve": "PVE-2021-26102", "id": "pyup.io-26102", "specs": [ "<2.6.0" @@ -16004,7 +20922,7 @@ "requests-kerberos": [ { "advisory": "requests-kerberos before 0.6 isn't handling mutual authentication correctly.", - "cve": null, + "cve": "PVE-2021-26104", "id": "pyup.io-26104", "specs": [ "<0.6" @@ -16035,7 +20953,7 @@ "responsibly": [ { "advisory": "Responsibly 0.0.3 fixes security issues with its dependencies.", - "cve": null, + "cve": "PVE-2021-37335", "id": "pyup.io-37335", "specs": [ "<0.0.3" @@ -16046,7 +20964,7 @@ "restauth": [ { "advisory": "restauth before 0.6.3 did not verify passwords for services when using SECURE_CACHE = True.", - "cve": null, + "cve": "PVE-2021-26105", "id": "pyup.io-26105", "specs": [ "<0.6.3" @@ -16068,7 +20986,7 @@ "restrictedpython": [ { "advisory": "Restrictedpython 4.0 ships with a default implementation for ``_getattr_`` which prevents from using the ``format()`` method on str/unicode as it is not safe. See .\r\n\r\n **Caution:** If you do not already have secured the access to this ``format()`` method in your ``_getattr_`` implementation use ``RestrictedPython.Guards.safer_getattr()`` in your implementation to benefit from this fix.", - "cve": null, + "cve": "PVE-2021-37433", "id": "pyup.io-37433", "specs": [ "<4.0" @@ -16079,7 +20997,7 @@ "restview": [ { "advisory": "restview before 2.8.1 isn't properly checking the host header in HTTP requests, leading to possible DNS rebinding attacks. More info: https://github.com/mgedmin/restview/issues/51", - "cve": null, + "cve": "PVE-2021-35166", "id": "pyup.io-35166", "specs": [ "<2.8.1" @@ -16090,7 +21008,7 @@ "ricloud": [ { "advisory": "ricloud 2.3.8 updates requests in requirements due to vulnerability discovery.", - "cve": null, + "cve": "PVE-2021-36723", "id": "pyup.io-36723", "specs": [ "<2.3.8" @@ -16101,7 +21019,7 @@ "rinzler": [ { "advisory": "rinzler 2.0.5 includes a PyYAML vulnerability correction", - "cve": null, + "cve": "PVE-2021-36895", "id": "pyup.io-36895", "specs": [ "<2.0.5" @@ -16112,7 +21030,7 @@ "river-admin": [ { "advisory": "River-admin 0.5.2 fixes a vulnerability issue with `serialize-javascript` dependency.", - "cve": null, + "cve": "PVE-2021-37698", "id": "pyup.io-37698", "specs": [ "<0.5.2" @@ -16120,10 +21038,32 @@ "v": "<0.5.2" } ], + "rmapy": [ + { + "advisory": "Rmapy 0.2.4 bumps jinja2 from version 2.10.1 to 2.11.3 to improve its security.", + "cve": "PVE-2021-40057", + "id": "pyup.io-40057", + "specs": [ + "<0.2.4" + ], + "v": "<0.2.4" + } + ], + "rnalysis": [ + { + "advisory": "Rnalysis 1.3.6 fixes a security vulnerability in the developer test environment.", + "cve": "PVE-2021-40801", + "id": "pyup.io-40801", + "specs": [ + "<1.3.6" + ], + "v": "<1.3.6" + } + ], "robotraconteur": [ { "advisory": "robotraconteur 0.9.0 changes: The `LocalTransport` file handle locations have been moved for increased security", - "cve": null, + "cve": "PVE-2021-37221", "id": "pyup.io-37221", "specs": [ "<0.9.0" @@ -16145,7 +21085,7 @@ "rosdep": [ { "advisory": "Rosdep 0.15.2 migrates to yaml.safe_load to avoid yaml.load vulnerabilities.", - "cve": null, + "cve": "PVE-2021-39115", "id": "pyup.io-39115", "specs": [ "<0.15.2" @@ -16156,7 +21096,7 @@ "rotten-tomatoes-cli": [ { "advisory": "Rotten-tomatoes-cli 0.0.2 updates the `pyyaml`, `urllib3`, and `requests` dependencies to avoid security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37315", "id": "pyup.io-37315", "specs": [ "<0.0.2" @@ -16205,7 +21145,7 @@ "rpc4django": [ { "advisory": "rpc4django before 0.2.3 is vulnerable to billion laughs denial of service attack.", - "cve": null, + "cve": "PVE-2021-26108", "id": "pyup.io-26108", "specs": [ "<0.2.3" @@ -16247,7 +21187,7 @@ "rs-django-jet": [ { "advisory": "rs-django-jet 1.0.4 fixes security issue with accessing model_lookup_view (when using RelatedFieldAjaxListFilter) without permissions.", - "cve": null, + "cve": "PVE-2021-36903", "id": "pyup.io-36903", "specs": [ "<1.0.4" @@ -16258,7 +21198,7 @@ "rsa": [ { "advisory": "rsa 2.0 includes several undisclosed security improvements.", - "cve": null, + "cve": "PVE-2021-26109", "id": "pyup.io-26109", "specs": [ "<2.0" @@ -16276,7 +21216,7 @@ }, { "advisory": "rsa before 3.4 has a undisclosed side-channel vulnerability.", - "cve": null, + "cve": "PVE-2021-26112", "id": "pyup.io-26112", "specs": [ "<3.4" @@ -16305,7 +21245,7 @@ "rsanic": [ { "advisory": "rsanic before 0.2.2 is vulnerable to XSS attacks.", - "cve": null, + "cve": "PVE-2021-33007", "id": "pyup.io-33007", "specs": [ "<0.2.2" @@ -16316,7 +21256,7 @@ "rsconnect-jupyter": [ { "advisory": "In addition to disabling TLS checking entirely, users in rsconnect-jupyter 1.3.0 have the option of uploading their own self-signed certificate bundle as a more secure TLS alternative.", - "cve": null, + "cve": "PVE-2021-38119", "id": "pyup.io-38119", "specs": [ "<1.3.0" @@ -16327,7 +21267,7 @@ "rss2email": [ { "advisory": "Rss2email 3.10 fixes SMTP security issues.", - "cve": null, + "cve": "PVE-2021-37430", "id": "pyup.io-37430", "specs": [ "<3.10" @@ -16349,7 +21289,7 @@ "rtv": [ { "advisory": "rtv before 1.12.1 has a security vulnerability where malicious URLs could inject python code.", - "cve": null, + "cve": "PVE-2021-26113", "id": "pyup.io-26113", "specs": [ "<1.12.1" @@ -16357,10 +21297,21 @@ "v": "<1.12.1" } ], + "rubicon-ml": [ + { + "advisory": "Rubicon-ml 0.2.6 includes a fix to address whitesource vulnerability.", + "cve": "PVE-2021-41017", + "id": "pyup.io-41017", + "specs": [ + "<0.2.6" + ], + "v": "<0.2.6" + } + ], "ruffruffs": [ { "advisory": "ruffruffs 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.", - "cve": null, + "cve": "PVE-2021-26116", "id": "pyup.io-26116", "specs": [ "<2.6.0" @@ -16371,7 +21322,7 @@ "runway": [ { "advisory": "Runway 1.16.0 has enhanced security via nonce signing (Static Site AuthEdge).", - "cve": null, + "cve": "PVE-2021-39085", "id": "pyup.io-39085", "specs": [ "<1.16.0" @@ -16382,7 +21333,7 @@ "s4": [ { "advisory": "S4 0.4.2 upgrades boto3 to minimum requirement to fix a vulnerability in a urllib3 dependency.", - "cve": null, + "cve": "PVE-2021-37119", "id": "pyup.io-37119", "specs": [ "<0.4.2" @@ -16393,7 +21344,7 @@ "safety": [ { "advisory": "safety before 1.8.4 included the cryptography version <2.3, which had a security vulnerability.", - "cve": null, + "cve": "PVE-2021-36367", "id": "pyup.io-36367", "specs": [ "<1.8.4" @@ -16404,7 +21355,7 @@ "sagemaker-containers": [ { "advisory": "Sagemaker-containers 2.8.2 updates a dependency for security reasons.", - "cve": null, + "cve": "PVE-2021-38087", "id": "pyup.io-38087", "specs": [ "<2.8.2" @@ -16412,11 +21363,22 @@ "v": "<2.8.2" } ], + "sagemaker-pytorch-inference": [ + { + "advisory": "Sagemaker-pytorch-inference 1.4.1 updates various package versions to fix vulnerabilities.", + "cve": "PVE-2021-40029", + "id": "pyup.io-40029", + "specs": [ + "<1.4.1" + ], + "v": "<1.4.1" + } + ], "salt": [ { - "advisory": "Salt 3000.4 prevents shell injections in netapi SSH client (CVE-2020-16846) and prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", - "cve": "CVE-2020-16846, CVE-2020-17490", - "id": "pyup.io-39159", + "advisory": "Salt 3000.4 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", + "cve": "CVE-2020-17490", + "id": "pyup.io-39574", "specs": [ "<3000.4" ], @@ -16432,28 +21394,57 @@ "v": "<3001.1" }, { - "advisory": "Salt 3001.2 prevents shell injections in netapi SSH client (CVE-2020-16846) and prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", - "cve": "CVE-2020-16846, CVE-2020-17490", - "id": "pyup.io-39158", + "advisory": "In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. See CVE-2020-25592.", + "cve": "CVE-2020-25592", + "id": "pyup.io-39571", + "specs": [ + "<=3002" + ], + "v": "<=3002" + }, + { + "advisory": "An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. See: CVE-2020-16846.", + "cve": "CVE-2020-16846", + "id": "pyup.io-39159", + "specs": [ + "<=3002" + ], + "v": "<=3002" + }, + { + "advisory": "Salt 3001.2 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", + "cve": "CVE-2020-17490", + "id": "pyup.io-39573", "specs": [ ">=3001,<3001.2" ], "v": ">=3001,<3001.2" }, { - "advisory": "Salt 3002.1 prevents shell injections in netapi SSH client (CVE-2020-16846) and prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).\r\n\r\nIt also properly validates eauth credentials and tokens along with their ACLs. Prior to this change eauth was not properly validated when calling Salt ssh via the salt-api. Any value for 'eauth' or 'token' would allow a user to bypass authentication and make calls to Salt ssh (CVE-2020-25592).", - "cve": "CVE-2020-16846, CVE-2020-17490, CVE-2020-25592", - "id": "pyup.io-39157", + "advisory": "Salt 3002.1 prevents creating world-readable private keys with the TLS execution module (cve-2020-17490).", + "cve": "CVE-2020-17490", + "id": "pyup.io-39572", "specs": [ ">=3002,<3002.1" ], "v": ">=3002,<3002.1" } ], + "salted": [ + { + "advisory": "Salted 0.5.4 requires lxml version >= 4.6.2 as it fixes a vulnerability and works with Python 3.9.", + "cve": "PVE-2021-39320", + "id": "pyup.io-39320", + "specs": [ + "<0.5.4" + ], + "v": "<0.5.4" + } + ], "sanic-oauthlib": [ { "advisory": "Sanic-oauthlib 0.5.0 mentions \"**Security bug** for access token via `#92`\". No other information was provided.", - "cve": null, + "cve": "PVE-2021-38524", "id": "pyup.io-38524", "specs": [ "<0.5.0" @@ -16462,7 +21453,7 @@ }, { "advisory": "Sanic-oauthlib 0.9.1 improves security in a not further specified way.", - "cve": null, + "cve": "PVE-2021-37397", "id": "pyup.io-37397", "specs": [ "<0.9.1" @@ -16473,7 +21464,7 @@ "satosa": [ { "advisory": "satosa before 0.6.1 uses an insecure transitive dependency (pycrypto).", - "cve": null, + "cve": "PVE-2021-34714", "id": "pyup.io-34714", "specs": [ "<0.6.1" @@ -16484,7 +21475,7 @@ "sbp": [ { "advisory": "sbp 2.4.2 updates mocha away from a security vulnerability in growl [\\575](https://github.com/swift-nav/libsbp/pull/575)", - "cve": null, + "cve": "PVE-2021-36695", "id": "pyup.io-36695", "specs": [ "<2.4.2" @@ -16493,7 +21484,7 @@ }, { "advisory": "Sbp v2.6.5 pins minor rev versions, security fix for requests - see: https://github.com/swift-nav/libsbp/pull/709", - "cve": null, + "cve": "PVE-2021-36662", "id": "pyup.io-36662", "specs": [ "<2.6.5" @@ -16502,7 +21493,7 @@ }, { "advisory": "sbp 2.7.0 updates requests to resolve security issue (https://github.com/swift-nav/libsbp/pull/708)", - "cve": null, + "cve": "PVE-2021-37937", "id": "pyup.io-37937", "specs": [ "<2.7.0" @@ -16511,7 +21502,7 @@ }, { "advisory": "Sbp 2.7.0 updates requests to resolve security issue - see https://github.com/swift-nav/libsbp/pull/708", - "cve": null, + "cve": "PVE-2021-37642", "id": "pyup.io-37642", "specs": [ "<2.7.0" @@ -16520,7 +21511,7 @@ }, { "advisory": "Sbp 3.1.1 fixes a JavaScript security warning. See: .", - "cve": null, + "cve": "PVE-2021-38393", "id": "pyup.io-38393", "specs": [ "<2.8.0" @@ -16540,7 +21531,7 @@ }, { "advisory": "Scalyr-agent-2 version 2.1.10 fixes two bugs which opened up the possibility for MITM attack if an attacker was able to spoof or control the DNS. Additionally, this version explicitly requests TLS v1.2, which makes the agent more robust against potential downgrade attacks when connecting to the Scalyr API. This is only true when running the agent under Python >= 2.7.9.", - "cve": null, + "cve": "PVE-2021-38807", "id": "pyup.io-38807", "specs": [ "<2.1.10" @@ -16560,7 +21551,7 @@ }, { "advisory": "Scapy 2.4.2 addresses a Malicious Radius Attribute DoS vulnerability. See: .", - "cve": null, + "cve": "PVE-2021-37341", "id": "pyup.io-37341", "specs": [ ">=2.4.0,<2.4.2" @@ -16571,7 +21562,7 @@ "sceptre": [ { "advisory": "sceptre 2.3.0 fixes Jinja autoescape vulnerability", - "cve": null, + "cve": "PVE-2021-37821", "id": "pyup.io-37821", "specs": [ "<2.3.0" @@ -16582,7 +21573,7 @@ "scons": [ { "advisory": "Scons 4.0.0 converts the remaining uses of an insecure/deprecated mktemp method.", - "cve": null, + "cve": "PVE-2021-38489", "id": "pyup.io-38489", "specs": [ "<4.0.0" @@ -16590,10 +21581,21 @@ "v": "<4.0.0" } ], + "scrape": [ + { + "advisory": "Scrape 0.10.2 updates the 'lxml' dependency from 4.3.0 to 4.6.2. This is a security patch.", + "cve": "PVE-2021-39424", + "id": "pyup.io-39424", + "specs": [ + "<0.10.2" + ], + "v": "<0.10.2" + } + ], "scrapydd": [ { "advisory": "Scrapydd 0.6.3 enhances the security by adding protection against cross-site request forgery.", - "cve": null, + "cve": "PVE-2021-37457", "id": "pyup.io-37457", "specs": [ "<0.6.3" @@ -16604,7 +21606,7 @@ "scvae": [ { "advisory": "scvae 2.1.1 updates TensorFlow because of a security vulnerability.", - "cve": null, + "cve": "PVE-2021-37932", "id": "pyup.io-37932", "specs": [ "<2.1.1" @@ -16615,7 +21617,7 @@ "sdcclient": [ { "advisory": "Sdcclient 0.7.0 adds support for secure commands audit.", - "cve": null, + "cve": "PVE-2021-37050", "id": "pyup.io-37050", "specs": [ "<0.7.0" @@ -16626,7 +21628,7 @@ "seed-auth-api": [ { "advisory": "Seed-auth-api 0.9.3 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37441", "id": "pyup.io-37441", "specs": [ "<0.9.3" @@ -16637,7 +21639,7 @@ "seed-control-interface": [ { "advisory": "Seed-control-interface-service 0.9.16 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37440", "id": "pyup.io-37440", "specs": [ "<0.9.16" @@ -16648,7 +21650,7 @@ "seed-control-interface-service": [ { "advisory": "Seed-control-interface-service 0.9.6 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37442", "id": "pyup.io-37442", "specs": [ "<0.9.6" @@ -16659,7 +21661,7 @@ "seed-identity-store": [ { "advisory": "Seed-identity-store 0.10.2 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37437", "id": "pyup.io-37437", "specs": [ "<0.10.2" @@ -16670,7 +21672,7 @@ "seed-message-sender": [ { "advisory": "Seed-message-sender 0.10.9 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37436", "id": "pyup.io-37436", "specs": [ "<0.10.9" @@ -16681,7 +21683,7 @@ "seed-scheduler": [ { "advisory": "Seed-scheduler 0.10.2 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37439", "id": "pyup.io-37439", "specs": [ "<0.10.2" @@ -16692,7 +21694,7 @@ "seed-stage-based-messaging": [ { "advisory": "seed-stage-based-messaging 0.11.0 upgrades requests to fix security vulnerability", - "cve": null, + "cve": "PVE-2021-36653", "id": "pyup.io-36653", "specs": [ "<0.11.0" @@ -16701,7 +21703,7 @@ }, { "advisory": "Seed-stage-based-messaging 0.13.0 includes upgrades of dependencies with security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-37438", "id": "pyup.io-37438", "specs": [ "<0.13.0" @@ -16710,20 +21712,121 @@ } ], "seldon-core": [ + { + "advisory": "Seldon-core 0.2.4 includes a fix for Github security vulnerabilities in dependencies (issue 259) and a fix for vulnerability warnings with updates to engine and apife pom (issue 263).", + "cve": "PVE-2021-39360", + "id": "pyup.io-39360", + "specs": [ + "<0.2.4" + ], + "v": "<0.2.4" + }, + { + "advisory": "Seldon-core 0.3.0 includes a fix for old Containers & Security Vulnerabilities (issue 528). It also updates the TF version for security (pull 575), and updates jackson-databind from version 2.8.11.2 to version 2.9.8 to address CVE-2018-12022.", + "cve": "CVE-2018-12022", + "id": "pyup.io-39359", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, + { + "advisory": "Seldon-core 0.3.0 includes a fix for old Containers & Security Vulnerabilities (issue 528). It also updates the TF version for security (pull 575), and updates jackson-databind from version 2.8.11.2 to version 2.9.8 to address CVE-2018-12023 (pull 547).", + "cve": "CVE-2018-12023", + "id": "pyup.io-39547", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + }, + { + "advisory": "Seldon-core 0.4.0 includes a fix for CVE-2018-1000654 in openjdk:8u201-jre-alpine3.", + "cve": "CVE-2018-1000654", + "id": "pyup.io-39358", + "specs": [ + "<0.4.0" + ], + "v": "<0.4.0" + }, + { + "advisory": "Seldon-core 0.4.2 closes issue 981 which addresses a Java dependencies that is not secure, and also closes issue 893 about a patch to prevent XSS.", + "cve": "PVE-2021-39357", + "id": "pyup.io-39357", + "specs": [ + "<0.4.2" + ], + "v": "<0.4.2" + }, { "advisory": "seldon-core 0.5.1 bumps pillow from 6.0.0 to 6.2.0, see: https://github.com/SeldonIO/seldon-core/pull/1062", - "cve": null, + "cve": "PVE-2021-37893", "id": "pyup.io-37893", "specs": [ "<0.5.1" ], "v": "<0.5.1" + }, + { + "advisory": "Seldon-core 1.0.0 includes a fix for CVE-2019-18224.", + "cve": "CVE-2019-18224", + "id": "pyup.io-39546", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "Seldon-core 1.0.0 includes a fix for CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39361", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + }, + { + "advisory": "Seldon-core 1.0.2 includes a fix for CVE-2019-18224.", + "cve": "CVE-2019-18224", + "id": "pyup.io-39356", + "specs": [ + "<1.0.2" + ], + "v": "<1.0.2" + }, + { + "advisory": "Seldon-core 1.2.0 adds XSS patches to executor. It also closes potential security vulnerability issues with Default Engine Java Opts (issue 1597) and Java JMX Server (issue 1595).", + "cve": "PVE-2021-39328", + "id": "pyup.io-39328", + "specs": [ + "<1.2.0" + ], + "v": "<1.2.0" + }, + { + "advisory": "Seldon-core 1.6.0 updates the 'PyYAML' dependency to version 5.4.1 to address CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.", + "cve": "CVE-2020-14343", + "id": "pyup.io-40781", + "specs": [ + "<1.6.0" + ], + "v": "<1.6.0" + } + ], + "selenium-support": [ + { + "advisory": "Selenium-support 0.0.1 disables download possibility for Google Chrome in headless mode by default.", + "cve": "PVE-2021-40225", + "id": "pyup.io-40225", + "specs": [ + "<0.0.1" + ], + "v": "<0.0.1" } ], "selenium-wire": [ { "advisory": "Selenium-wire 1.2.1 uses SHA256 digest when creating site certificates to fix Chrome HSTS security errors.", - "cve": null, + "cve": "PVE-2021-38396", "id": "pyup.io-38396", "specs": [ "<1.2.1" @@ -16731,19 +21834,39 @@ "v": "<1.2.1" } ], + "semversioner": [ + { + "advisory": "Semversioner 0.13.0 includes a fix for the 'Jinja2' dependency (CVE-2020-28493): This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.", + "cve": "CVE-2020-28493", + "id": "pyup.io-40118", + "specs": [ + "<0.13.0" + ], + "v": "<0.13.0" + } + ], "sentry": [ { "advisory": "sentry before 0.12.2 has a security flaw where exponential numbers in specially crafted params could cause a CPU attack.", - "cve": null, + "cve": "PVE-2021-33030", "id": "pyup.io-33030", "specs": [ "<0.12.2" ], "v": "<0.12.2" }, + { + "advisory": "Sentry 5.7.0 updates https-proxy-agent to 3.0.0 for security reasons (issue 2262).", + "cve": "PVE-2021-39296", + "id": "pyup.io-39296", + "specs": [ + "<5.7.0" + ], + "v": "<5.7.0" + }, { "advisory": "sentry before 6.1.1 is vulnerable to a remote code execution exploit.", - "cve": null, + "cve": "PVE-2021-26117", "id": "pyup.io-26117", "specs": [ "<6.1.1" @@ -16752,7 +21875,7 @@ }, { "advisory": "sentry before 7.4.0 has a XSS vulnerability with tag values not being escaped (on the group details page).", - "cve": null, + "cve": "PVE-2021-26118", "id": "pyup.io-26118", "specs": [ "<7.4.0" @@ -16761,7 +21884,7 @@ }, { "advisory": "sentry before 7.5.5 is vulnerable to a XSS attack in tags and the stream filter box.", - "cve": null, + "cve": "PVE-2021-26119", "id": "pyup.io-26119", "specs": [ "<7.5.5" @@ -16770,7 +21893,7 @@ }, { "advisory": "sentry before 7.6.1 is vulnerable to a XSS attack in tags and the stream filter box.", - "cve": null, + "cve": "PVE-2021-26120", "id": "pyup.io-26120", "specs": [ "<7.6.1" @@ -16779,7 +21902,7 @@ }, { "advisory": "sentry before 8.1.4 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.", - "cve": null, + "cve": "PVE-2021-26121", "id": "pyup.io-26121", "specs": [ "<8.1.4" @@ -16788,7 +21911,7 @@ }, { "advisory": "sentry before 8.1.5 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.", - "cve": null, + "cve": "PVE-2021-26122", "id": "pyup.io-26122", "specs": [ "<8.1.5" @@ -16797,7 +21920,7 @@ }, { "advisory": "sentry before 8.2.2 has a security issue where a superuser had the ability to inject data into audit logs through the admin UI.", - "cve": null, + "cve": "PVE-2021-26123", "id": "pyup.io-26123", "specs": [ "<8.2.2" @@ -16806,7 +21929,7 @@ }, { "advisory": "sentry before 8.2.4 if being run in multi-organization mode, it was possible for a user to craft a URL which would allow them to view membership details of other users.", - "cve": null, + "cve": "PVE-2021-26124", "id": "pyup.io-26124", "specs": [ "<8.2.4" @@ -16815,7 +21938,7 @@ }, { "advisory": "sentry before 8.2.5 is vulnerable to an attack which allows API keys more permission than granted within the organization.", - "cve": null, + "cve": "PVE-2021-26125", "id": "pyup.io-26125", "specs": [ "<8.2.5" @@ -16824,7 +21947,7 @@ }, { "advisory": "sentry before 8.3.3 is vulnerable to an attack which allows API keys more permission than granted within the organization.", - "cve": null, + "cve": "PVE-2021-26126", "id": "pyup.io-26126", "specs": [ "<8.3.3" @@ -16833,7 +21956,7 @@ }, { "advisory": "sentry 8.8 includes various security fixes related to CSRF and XSS.", - "cve": null, + "cve": "PVE-2021-26127", "id": "pyup.io-26127", "specs": [ "<8.8" @@ -16844,7 +21967,7 @@ "sequoia-client-sdk": [ { "advisory": "sequoia-client-sdk 1.2.0 upgrades libraries `urllib3` and `requests` upgraded to solve security issues:", - "cve": null, + "cve": "PVE-2021-36949", "id": "pyup.io-36949", "specs": [ "<1.2.0" @@ -16853,7 +21976,7 @@ }, { "advisory": "Sequoia-client-sdk 2.0.0 upgrades `urllib3` and `requests` to solve security issues.", - "cve": null, + "cve": "PVE-2021-37199", "id": "pyup.io-37199", "specs": [ "<2.0.0" @@ -16864,7 +21987,7 @@ "serpscrap": [ { "advisory": "Serpscrap 0.13.0 updates the dependency on chromedriver to >= 76.0.3809.68 and sqlalchemy>=1.3.7 to solve security issues and other minor update changes.", - "cve": null, + "cve": "PVE-2021-37406", "id": "pyup.io-37406", "specs": [ "<0.13.0" @@ -16875,7 +21998,7 @@ "sesame": [ { "advisory": "sesame 0.3.0 is using a secure extraction/decryption using tempfile.", - "cve": null, + "cve": "PVE-2021-26128", "id": "pyup.io-26128", "specs": [ "<0.3.0" @@ -16886,7 +22009,7 @@ "setup-tools": [ { "advisory": "setup-tools is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34984", "id": "pyup.io-34984", "specs": [ ">0", @@ -16898,7 +22021,7 @@ "setuptools": [ { "advisory": "setuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.", - "cve": null, + "cve": "PVE-2021-26129", "id": "pyup.io-26129", "specs": [ "<0.9.5" @@ -16907,7 +22030,7 @@ }, { "advisory": "setuptools before 1.3 has a security vulnerability in SSL match_hostname check as reported in Python 17997.", - "cve": null, + "cve": "PVE-2021-26132", "id": "pyup.io-26132", "specs": [ "<1.3" @@ -16916,7 +22039,7 @@ }, { "advisory": "setuptools 3.0 avoids the potential security vulnerabilities presented by use of tar archives in ez_setup.py. It also leverages the security features added to ZipFile.extract in Python 2.7.4.", - "cve": null, + "cve": "PVE-2021-26133", "id": "pyup.io-26133", "specs": [ "<3.0" @@ -16927,7 +22050,7 @@ "sevabot": [ { "advisory": "sevabot before 1.1 allows arbitrary commands to be executed.", - "cve": null, + "cve": "PVE-2021-26134", "id": "pyup.io-26134", "specs": [ "<1.1" @@ -16938,7 +22061,7 @@ "sftp-cloudfs": [ { "advisory": "sftp-cloudfs before 0.13.1 is using an insecure transitive dependency (ftp-cloudfs<=0.26.1).", - "cve": null, + "cve": "PVE-2021-26135", "id": "pyup.io-26135", "specs": [ "<0.13.1" @@ -16949,7 +22072,7 @@ "shaka-streamer": [ { "advisory": "Shaka-streamer 0.3.0 fixes the PyYAML deprecation warning and YAML loading vulnerability - see: https://github.com/google/shaka-streamer/issues/35", - "cve": null, + "cve": "PVE-2021-37578", "id": "pyup.io-37578", "specs": [ "<0.3.0" @@ -16960,7 +22083,7 @@ "shiftboiler": [ { "advisory": "shiftboiler before 0.6.5 included a minor security issue: If google login did not return an id, user can takeover another user's account.", - "cve": null, + "cve": "PVE-2021-36542", "id": "pyup.io-36542", "specs": [ "<0.6.5" @@ -16969,7 +22092,7 @@ }, { "advisory": "Shiftboiler 0.9.3 contains improvements around application security. For instance session cookies and FlaskLogin's remember me cookies are now set to be secure and http-only by default in production environments. Additionally, flask applications are now CSRF-protected out of the box so you don't have to remember to enable this feature.", - "cve": null, + "cve": "PVE-2021-38472", "id": "pyup.io-38472", "specs": [ "<0.9.3" @@ -16977,10 +22100,32 @@ "v": "<0.9.3" } ], + "shuup": [ + { + "advisory": "Shuup 2.11.0 fixes critical vulnerability on views that were returning not escaped content making it open to XSS attacks.", + "cve": "PVE-2021-41033", + "id": "pyup.io-41033", + "specs": [ + "<2.11.0" + ], + "v": "<2.11.0" + } + ], + "simple-swagger": [ + { + "advisory": "Simple-swagger 0.1.0 adds basic security support with credentials.", + "cve": "PVE-2021-40180", + "id": "pyup.io-40180", + "specs": [ + "<0.1.0" + ], + "v": "<0.1.0" + } + ], "simplemonitor": [ { "advisory": "simplemonitor 2.7 changes the remote monitor protocol and uses the JSON format for remote monitor protocol (more secure than pickle)", - "cve": null, + "cve": "PVE-2021-37886", "id": "pyup.io-37886", "specs": [ "<2.7" @@ -16988,10 +22133,21 @@ "v": "<2.7" } ], + "simplesockets": [ + { + "advisory": "Simplesockets 0.1.0 improves security in the self-made secure socket.", + "cve": "PVE-2021-40604", + "id": "pyup.io-40604", + "specs": [ + "<0.1.0" + ], + "v": "<0.1.0" + } + ], "simulaqron": [ { "advisory": "Simulaqron 3.0.7 bumps to twisted 19.7 due to security vulnerabilities with earlier versions.", - "cve": null, + "cve": "PVE-2021-37571", "id": "pyup.io-37571", "specs": [ "<3.0.7" @@ -16999,21 +22155,63 @@ "v": "<3.0.7" } ], - "slackeventsapi": [ + "skill-sdk": [ { - "advisory": "slackeventsapi 2.1.0 updates minimum Flask version to address security vulnerability (45)", - "cve": null, - "id": "pyup.io-36729", + "advisory": "Skill-sdk 0.10.5 makes its underlying dependency 'Tornado' optional due to a security issue.", + "cve": "PVE-2021-39692", + "id": "pyup.io-39692", "specs": [ - "<2.1.0" + "<0.10.5" + ], + "v": "<0.10.5" + } + ], + "slackeventsapi": [ + { + "advisory": "slackeventsapi 2.1.0 updates minimum Flask version to address security vulnerability (45)", + "cve": "PVE-2021-36729", + "id": "pyup.io-36729", + "specs": [ + "<2.1.0" ], "v": "<2.1.0" } ], + "sleap": [ + { + "advisory": "Sleap 1.0.10a4 updates TensorFlow 2.1.2 for security reasons.", + "cve": "PVE-2021-39680", + "id": "pyup.io-39680", + "specs": [ + "<1.0.10a4" + ], + "v": "<1.0.10a4" + }, + { + "advisory": "Sleap 1.0.10a updates TensorFlow 2.1.2 for security reasons.", + "cve": "PVE-2021-39679", + "id": "pyup.io-39679", + "specs": [ + "<1.0.10a5" + ], + "v": "<1.0.10a5" + } + ], + "smbprotocol": [ + { + "advisory": "Smbprotocol 1.4.0 adds few important security improvements.", + "cve": "PVE-2021-40415", + "id": "pyup.io-40415", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" + } + ], "smeagol": [ { "advisory": "smeagol 0.1.0 has several known bugs and security issues that need to be addressed before it can be used in production.", - "cve": null, + "cve": "PVE-2021-34818", "id": "pyup.io-34818", "specs": [ "<0.1.0" @@ -17024,7 +22222,7 @@ "smqtk": [ { "advisory": "Smqtk 0.11.0 includes a number of security and stability fixes for algorithms and the IQR demo web application.", - "cve": null, + "cve": "PVE-2021-38777", "id": "pyup.io-38777", "specs": [ "<0.11.0" @@ -17032,10 +22230,21 @@ "v": "<0.11.0" } ], + "smtpdfix": [ + { + "advisory": "Smtpdfix 0.2.9 requires a 'cryptography' dependency version 3.4.4 in response to security reports.", + "cve": "PVE-2021-39708", + "id": "pyup.io-39708", + "specs": [ + "<0.2.9" + ], + "v": "<0.2.9" + } + ], "snakemake": [ { "advisory": "Snakemake 5.28.0 parses values more securely when using --config.", - "cve": null, + "cve": "PVE-2021-39106", "id": "pyup.io-39106", "specs": [ "<5.28.0" @@ -17057,7 +22266,7 @@ "sncli": [ { "advisory": "Sncli 0.4.0 contains a security fix for an arbitrary code execution bug. Copying text from notes to the clipboard was being performed by building a shell command to execute. This resulted in the line being copied substituted directly into the shell command. A carefully crafted line could run any arbitrary shell command, and some lines could crash the\r\nprocess causing the line to fail to copy. This fixes the issue by not using a shell to interpret the command, and\r\npassing the text to be copied directly to stdin.", - "cve": null, + "cve": "PVE-2021-37302", "id": "pyup.io-37302", "specs": [ "<0.4.0" @@ -17068,7 +22277,7 @@ "soapfish": [ { "advisory": "soapfish before 0.6.0 has a potential security issue - pattern restrictions were not applied correctly.", - "cve": null, + "cve": "PVE-2021-26136", "id": "pyup.io-26136", "specs": [ "<0.6.0" @@ -17079,7 +22288,7 @@ "soappy": [ { "advisory": "soappy before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", - "cve": null, + "cve": "PVE-2021-26137", "id": "pyup.io-26137", "specs": [ "<0.12.6" @@ -17090,7 +22299,7 @@ "soappy-py3": [ { "advisory": "soappy-py3 before 0.12.6 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", - "cve": null, + "cve": "PVE-2021-26138", "id": "pyup.io-26138", "specs": [ "<0.12.6" @@ -17101,7 +22310,7 @@ "sockjs-tornado": [ { "advisory": "Sockjs-tornado 1.0.7 includes a fix for a XSS vulnerability. No details are given. Possibly it's related to the XSS vulnerability that was addressed in 1.0.6, which jeopardized the HTMLFILE transport.", - "cve": null, + "cve": "PVE-2021-38215", "id": "pyup.io-38215", "specs": [ "<1.0.7" @@ -17112,7 +22321,7 @@ "sopel": [ { "advisory": "'web.get' and 'web.post' in sopel 4.1.0 can be told to limit how much they read from a URL, to prevent malicious use.", - "cve": null, + "cve": "PVE-2021-39121", "id": "pyup.io-39121", "specs": [ "<4.1.0" @@ -17121,7 +22330,7 @@ }, { "advisory": "A security issue involving an improperly named channel logs was fixed in Sopel 4.4.0.", - "cve": null, + "cve": "PVE-2021-26139", "id": "pyup.io-26139", "specs": [ "<4.4.0" @@ -17130,7 +22339,7 @@ }, { "advisory": "Sopel 6.3.0 uses the `requests` package for stability and security.", - "cve": null, + "cve": "PVE-2021-27413", "id": "pyup.io-27413", "specs": [ "<6.3.0" @@ -17141,7 +22350,7 @@ "spacepy-x": [ { "advisory": "HTTPS has been re-enabled in spacepy-x 1.0.1 for secure API goodness.", - "cve": null, + "cve": "PVE-2021-37388", "id": "pyup.io-37388", "specs": [ "<1.0.1" @@ -17152,7 +22361,7 @@ "sparselandtools": [ { "advisory": "sparselandtools 1.0.1 requires newer versions of third party packages for security reasons in some cases", - "cve": null, + "cve": "PVE-2021-37929", "id": "pyup.io-37929", "specs": [ "<1.0.1" @@ -17160,10 +22369,21 @@ "v": "<1.0.1" } ], + "sparsify": [ + { + "advisory": "Sparsify 0.1.1 updates the 'axios' dependency to fix a security vulnerability.", + "cve": "PVE-2021-40321", + "id": "pyup.io-40321", + "specs": [ + "<0.1.1" + ], + "v": "<0.1.1" + } + ], "sphinx": [ { "advisory": "Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.", - "cve": null, + "cve": "PVE-2021-38330", "id": "pyup.io-38330", "specs": [ "<3.0.4" @@ -17174,7 +22394,7 @@ "sphinx-paragraph-extractor": [ { "advisory": "Sphinx-paragraph-extractor 1.0.4 updates dependencies for security reasons.", - "cve": null, + "cve": "PVE-2021-37082", "id": "pyup.io-37082", "specs": [ "<1.0.4" @@ -17182,10 +22402,21 @@ "v": "<1.0.4" } ], + "sphinx-wagtail-theme": [ + { + "advisory": "Sphinx-wagtail-theme 4.3.0 updates yarn.lock for security reasons.", + "cve": "PVE-2021-40027", + "id": "pyup.io-40027", + "specs": [ + "<4.3.0" + ], + "v": "<4.3.0" + } + ], "spintest": [ { "advisory": "spintest 0.2.0 renders the UUID Token invisible in the log to avoid security violation, when spintest is used during the CI/CD tools", - "cve": null, + "cve": "PVE-2021-37859", "id": "pyup.io-37859", "specs": [ "<0.2.0" @@ -17196,7 +22427,7 @@ "splash": [ { "advisory": "splash before 2.0.1 is vulnerable to a XSS attack in HTTP UI.", - "cve": null, + "cve": "PVE-2021-26140", "id": "pyup.io-26140", "specs": [ "<2.0.1" @@ -17205,7 +22436,7 @@ }, { "advisory": "In splash before 2.3.2 xvfb binds to ports in the range 6000-6200 on all available interfaces.", - "cve": null, + "cve": "PVE-2021-33045", "id": "pyup.io-33045", "specs": [ "<2.3.2" @@ -17224,10 +22455,32 @@ "v": "<1.6.6" } ], + "spotdl": [ + { + "advisory": "Spotdl 3.6.0 includes a security fix for the 'xnetcat' dependency.", + "cve": "PVE-2021-40550", + "id": "pyup.io-40550", + "specs": [ + "<3.6.0" + ], + "v": "<3.6.0" + } + ], + "spotify-gender-ex": [ + { + "advisory": "Spotify-gender-ex 2.4.0 adds certificate validation of the Spotify 'APK' file to prevent malicious apps from being processed and re-signed.", + "cve": "PVE-2021-40817", + "id": "pyup.io-40817", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + } + ], "spud": [ { "advisory": "spud before 0.8 doesn't check permissions. Anybody could edit photos.", - "cve": null, + "cve": "PVE-2021-26141", "id": "pyup.io-26141", "specs": [ "<0.8" @@ -17238,7 +22491,7 @@ "spyder-terminal": [ { "advisory": "Spyder-terminal 0.3.1 resolves several vulnerabilities. See: .", - "cve": null, + "cve": "PVE-2021-39132", "id": "pyup.io-39132", "specs": [ "<0.3.1" @@ -17270,7 +22523,7 @@ "sqlalchemy-cockroachdb": [ { "advisory": "Sqlalchemy-cockroachdb 0.3.2 updates urllib3 to remove a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38405", "id": "pyup.io-38405", "specs": [ "<0.3.2" @@ -17281,7 +22534,7 @@ "sqlathanor": [ { "advisory": "Sqlathanor 0.5.0 updates the ``requirements.txt`` (which does not actually indicate utilization dependencies, and instead indicates development dependencies) to upgrade a number of libraries that had recently had security vulnerabilities discovered.", - "cve": null, + "cve": "PVE-2021-37403", "id": "pyup.io-37403", "specs": [ "<0.5.0" @@ -17292,7 +22545,7 @@ "sqlfluff": [ { "advisory": "Sqlfluff 0.3.2 moves to `SandboxedEnvironment` rather than `Environment` for jinja templating for security.", - "cve": null, + "cve": "PVE-2021-38270", "id": "pyup.io-38270", "specs": [ "<0.3.2" @@ -17303,7 +22556,7 @@ "ssh-audit": [ { "advisory": "Ssh-audit 2.2.0 re-classifies the very common `ssh-rsa` host key type as weak, due to practical SHA-1 attacks - see https://eprint.iacr.org/2020/014.pdf", - "cve": null, + "cve": "PVE-2021-38046", "id": "pyup.io-38046", "specs": [ "<2.2.0" @@ -17314,7 +22567,7 @@ "ssh-decorate": [ { "advisory": "Ssh-decorate version 0.28 through 0.31 is known to contain a backdoor that steals SSH credentials.", - "cve": null, + "cve": "PVE-2021-38498", "id": "pyup.io-38498", "specs": [ ">=0.28,<=0.31" @@ -17322,10 +22575,39 @@ "v": ">=0.28,<=0.31" } ], + "ssh-mitm": [ + { + "advisory": "ssh-mitm before 0.3.11", + "cve": "PVE-2021-39436", + "id": "pyup.io-39436", + "specs": [ + "<0.3.11" + ], + "v": "<0.3.11" + }, + { + "advisory": "Ssh-mitm version 0.3.12 adds support for CVE-2019-6110 .", + "cve": "CVE-2019-6110", + "id": "pyup.io-39455", + "specs": [ + "<0.3.12" + ], + "v": "<0.3.12" + }, + { + "advisory": "Ssh-mitm version 0.3.12 adds support for CVE-2019-6111.", + "cve": "CVE-2019-6111", + "id": "pyup.io-39456", + "specs": [ + "<0.3.12" + ], + "v": "<0.3.12" + } + ], "sslyze": [ { "advisory": "Sslyze 3.0.2 improves the check for HTTP security headers by adding support for HTTP redirections.", - "cve": null, + "cve": "PVE-2021-38197", "id": "pyup.io-38197", "specs": [ "<3.0.2" @@ -17333,10 +22615,21 @@ "v": "<3.0.2" } ], + "st2client": [ + { + "advisory": "StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name). See CVE-2021-28667.", + "cve": "CVE-2021-28667", + "id": "pyup.io-40034", + "specs": [ + "<3.4.1" + ], + "v": "<3.4.1" + } + ], "starcluster": [ { "advisory": "starcluster before 0.95.3 opens up the VPC to the internet by default which is a security risk and it requires a special VPC configuration (internet gateway attached to the VPC and a route to the gateway with dest CIDR block 0.0.0.0/0 associated with the VPC subnet). Configuring this automatically (which does not happen currently) would be a security risk and without this configuration StarCluster cannot connect to the VPC nodes even though they've been assigned a public IP.", - "cve": null, + "cve": "PVE-2021-26142", "id": "pyup.io-26142", "specs": [ "<0.95.3" @@ -17347,7 +22640,7 @@ "stargate": [ { "advisory": "stargate before 0.4 has several undisclosed security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-26143", "id": "pyup.io-26143", "specs": [ "<0.4" @@ -17358,7 +22651,7 @@ "staty": [ { "advisory": "Staty 1.2.3 updates requirements to fix security issues.", - "cve": null, + "cve": "PVE-2021-37049", "id": "pyup.io-37049", "specs": [ "<1.2.3" @@ -17380,7 +22673,7 @@ "stomp.py": [ { "advisory": "Stomp.py 4.1.22 reduces verbosity in logging to not include headers unless debug level is turned on. This was a potential security issue as per: .", - "cve": null, + "cve": "PVE-2021-37046", "id": "pyup.io-37046", "specs": [ "<4.1.22" @@ -17391,7 +22684,7 @@ "stork": [ { "advisory": "Stork 3.0.1 includes re-compiled dependencies to fix a security issue in a pinned dependency.", - "cve": null, + "cve": "PVE-2021-38611", "id": "pyup.io-38611", "specs": [ "<3.0.1" @@ -17402,7 +22695,7 @@ "stormpath": [ { "advisory": "stormpath before 2.0.5 is using an insecure transitive dependency (pyjwt).", - "cve": null, + "cve": "PVE-2021-26144", "id": "pyup.io-26144", "specs": [ "<2.0.5" @@ -17411,7 +22704,7 @@ }, { "advisory": "stormpath before 2.5.0 doesn't validate JWT correctly.", - "cve": null, + "cve": "PVE-2021-26145", "id": "pyup.io-26145", "specs": [ "<2.5.0" @@ -17422,7 +22715,7 @@ "stormpath-sdk": [ { "advisory": "stormpath-sdk before 2.5.0 doesn't validate JWT correctly.", - "cve": null, + "cve": "PVE-2021-26146", "id": "pyup.io-26146", "specs": [ "<2.5.0" @@ -17433,7 +22726,7 @@ "streamlit": [ { "advisory": "The `server.address` config option in streamlit 0.57.0 binds the server to that address for added security.", - "cve": null, + "cve": "PVE-2021-38121", "id": "pyup.io-38121", "specs": [ "<0.57.0" @@ -17444,7 +22737,7 @@ "streamsx-kafka": [ { "advisory": "streamsx-kafka 1.5.1 - resolves security vulnerabilities in third-party libs", - "cve": null, + "cve": "PVE-2021-36807", "id": "pyup.io-36807", "specs": [ "<1.5.1" @@ -17455,7 +22748,7 @@ "streamsx-objectstorage": [ { "advisory": "streamsx-objectstorage 1.7.2 resolves security vulnerabilities in third-party libs #135", - "cve": null, + "cve": "PVE-2021-36618", "id": "pyup.io-36618", "specs": [ "<1.7.0" @@ -17466,7 +22759,7 @@ "streamsx.messagehub": [ { "advisory": "streamsx.messagehub 1.5.1 resolves security vulnerabilities in third-party libs", - "cve": null, + "cve": "PVE-2021-36727", "id": "pyup.io-36727", "specs": [ "<1.5.1" @@ -17477,7 +22770,7 @@ "substra": [ { "advisory": "Substra 0.0.19 fixes a vulnerability in lodash.", - "cve": null, + "cve": "PVE-2021-38835", "id": "pyup.io-38835", "specs": [ "<0.0.19" @@ -17499,18 +22792,38 @@ "suds-community": [ { "advisory": "suds-community 0.7.0 fixes `FileCache` default cache location related security issue.", - "cve": "CVE-2013-2217", - "id": "pyup.io-36562", + "cve": "PVE-2021-40552", + "id": "pyup.io-40552", "specs": [ "<0.7.0" ], "v": "<0.7.0" + }, + { + "advisory": "Suds-community 0.7.0 addresses CVE-2013-2217.", + "cve": "CVE-2013-2217", + "id": "pyup.io-36562", + "specs": [ + ">=0.4.1,<0.7.0" + ], + "v": ">=0.4.1,<0.7.0" + } + ], + "superdesk-planning": [ + { + "advisory": "Superdesk-planning 2.0.2 includes a security patch which requires authentication for all API endpoints.", + "cve": "PVE-2021-39688", + "id": "pyup.io-39688", + "specs": [ + "<2.0.2" + ], + "v": "<2.0.2" } ], "superset": [ { "advisory": "Superset 0.11.0a allows for requesting access when denied on a dashboard view (#1192). It also allows to set static headers as configuration (#1126) and prevents XSS on FAB list views (#1125).", - "cve": null, + "cve": "PVE-2021-26147", "id": "pyup.io-26147", "specs": [ "<0.11.0a" @@ -17519,7 +22832,7 @@ }, { "advisory": "Superset 0.14.0a improves jinja2 security by using SandboxedEnvironment (#1632) and improves the security scheme (#1587).", - "cve": null, + "cve": "PVE-2021-37486", "id": "pyup.io-37486", "specs": [ "<0.14.0a" @@ -17528,7 +22841,7 @@ }, { "advisory": "Superset 0.19.1a prevents XSS markup viz (#3211).", - "cve": null, + "cve": "PVE-2021-37487", "id": "pyup.io-37487", "specs": [ "<0.19.1a" @@ -17537,7 +22850,7 @@ }, { "advisory": "Superset 0.23.0a bumps dependencies with security issues (#4427). It also fixes 4 security vulnerabilities (#4390) and adds all derived FAB UserModelView views to admin only (#4180).", - "cve": null, + "cve": "PVE-2021-36204", "id": "pyup.io-36204", "specs": [ "<0.23.0a" @@ -17546,7 +22859,7 @@ }, { "advisory": "Superset 0.29.0rc8a secures unsecured views and prevent regressions (#6553).", - "cve": null, + "cve": "PVE-2021-37488", "id": "pyup.io-37488", "specs": [ "<0.29.0rc8a" @@ -17555,7 +22868,7 @@ }, { "advisory": "Superset 0.32.0rc2.dev2a includes new, deprecate merge_perm. Also, the FAB method is fixed (#7355).", - "cve": null, + "cve": "PVE-2021-26584", "id": "pyup.io-26584", "specs": [ "<0.32.0rc2.dev2a" @@ -17564,7 +22877,7 @@ }, { "advisory": "Superset 0.33.0rc1a adds Flask-Talisman (#7443).", - "cve": null, + "cve": "PVE-2021-37485", "id": "pyup.io-37485", "specs": [ "<0.33.0rc1a" @@ -17573,7 +22886,7 @@ }, { "advisory": "Superset 0.34.0a adds docstrings and type hints (#7952), and bumps python libs, addressing insecure releases (#7550).", - "cve": null, + "cve": "PVE-2021-26602", "id": "pyup.io-26602", "specs": [ "<0.34.0a" @@ -17584,7 +22897,7 @@ "superset-hand": [ { "advisory": "superset-hand before 0.11.0 is vulnerable to a XSS attack on FAB list views.", - "cve": null, + "cve": "PVE-2021-26148", "id": "pyup.io-26148", "specs": [ "<0.11.0" @@ -17595,7 +22908,7 @@ "superset-tddv": [ { "advisory": "superset-tddv before 0.11.0 is vulnerable to a XSS attack on FAB list views.", - "cve": null, + "cve": "PVE-2021-26149", "id": "pyup.io-26149", "specs": [ "<0.11.0" @@ -17606,7 +22919,7 @@ "supervisor": [ { "advisory": "In supervisor before 3.3.3 (fix backported to 3.2.4, 3.1.4 and 3.0.1) a vulnerability was found where an authenticated client can send a malicious XML-RPC request to ``supervisord`` that will run arbitrary shell commands on the server. The commands will be run as the same user as ``supervisord``. Depending on how ``supervisord`` has been configured, this may be root. See https://github.com/Supervisor/supervisor/issues/964 for details.", - "cve": null, + "cve": "PVE-2021-34840", "id": "pyup.io-34840", "specs": [ ">=3.3,<3.3.3", @@ -17628,10 +22941,21 @@ "v": "<=0.9.3" } ], + "svmbir": [ + { + "advisory": "Svmbir 0.2.3 updates the 'Pillow' dependency for security concerns.", + "cve": "PVE-2021-41046", + "id": "pyup.io-41046", + "specs": [ + "<0.2.3" + ], + "v": "<0.2.3" + } + ], "swauth": [ { "advisory": "swauth before 1.1.0 has multiple undisclosed security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-26150", "id": "pyup.io-26150", "specs": [ "<1.1.0" @@ -17649,6 +22973,17 @@ ], "v": "<2.6.0" }, + { + "advisory": "In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.", + "cve": "CVE-2017-8761", + "id": "pyup.io-40591", + "specs": [ + "<=2.10.1", + ">=2.11.0,<=2.13.0", + "==2.14.0" + ], + "v": "<=2.10.1,>=2.11.0,<=2.13.0,==2.14.0" + }, { "advisory": "OpenStack Swift as of 2013-12-15 mishandles PYTHON_EGG_CACHE. See: CVE-2013-7109.\r\n\r\nConcerns about this vulnerability were minor, and the affected versions are not clear. See: .", "cve": "CVE-2013-7109", @@ -17662,7 +22997,7 @@ "swifter": [ { "advisory": "Swifter 0.292 fixes a known security vulnerability in parso <= 0.4.0 by requiring parso > 0.4.0", - "cve": null, + "cve": "PVE-2021-37369", "id": "pyup.io-37369", "specs": [ "<0.292" @@ -17673,7 +23008,7 @@ "syft": [ { "advisory": "Syft 0.2.3:\r\n* Fixes a potential security issue with unsafe YAML loading\r\n* Removes an insecure eval in native tensor interpreter", - "cve": null, + "cve": "PVE-2021-37958", "id": "pyup.io-37958", "specs": [ "<0.2.3" @@ -17682,7 +23017,7 @@ }, { "advisory": "syft 0.2.3.a1 removes an insecure eval in native tensor interpreter", - "cve": null, + "cve": "PVE-2021-37930", "id": "pyup.io-37930", "specs": [ "<0.2.3.a1" @@ -17690,10 +23025,97 @@ "v": "<0.2.3.a1" } ], + "synapse": [ + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation. See CVE-2021-21274.", + "cve": "CVE-2021-21274", + "id": "pyup.io-39662", + "specs": [ + "<1.25.0" + ], + "v": "<1.25.0" + }, + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary. See CVE-2021-21273.", + "cve": "CVE-2021-21273", + "id": "pyup.io-39661", + "specs": [ + "<1.25.0" + ], + "v": "<1.25.0" + }, + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notifications for missed messages or for an expiring account are subject to HTML injection. In the case of the notification for missed messages, this could allow an attacker to insert forged content into the email. The account expiry feature is not enabled by default and the HTML injection is not controllable by an attacker. This is fixed in version 1.27.0. See CVE-2021-21333.", + "cve": "CVE-2021-21333", + "id": "pyup.io-40107", + "specs": [ + "<1.27.0" + ], + "v": "<1.27.0" + }, + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting (XSS) attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources served on the same domain or parent domains. This is fixed in version 1.27.0. See CVE-2021-21332.", + "cve": "CVE-2021-21332", + "id": "pyup.io-40106", + "specs": [ + "<1.27.0" + ], + "v": "<1.27.0" + }, + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds. See CVE-2021-21393.", + "cve": "CVE-2021-21393", + "id": "pyup.io-40194", + "specs": [ + "<1.28.0" + ], + "v": "<1.28.0" + }, + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds. See CVE-2021-21392.", + "cve": "CVE-2021-21392", + "id": "pyup.io-40193", + "specs": [ + "<1.28.0" + ], + "v": "<1.28.0" + }, + { + "advisory": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them. Refer to referenced GitHub security advisory for additional details including workarounds. See CVE-2021-21394.", + "cve": "CVE-2021-21394", + "id": "pyup.io-40195", + "specs": [ + "<1.28.0" + ], + "v": "<1.28.0" + } + ], + "synapse-downloader": [ + { + "advisory": "Synapse-downloader 0.0.5 upgrades several dependencies with vulnerabilities.", + "cve": "PVE-2021-40828", + "id": "pyup.io-40828", + "specs": [ + "<0.0.5" + ], + "v": "<0.0.5" + } + ], + "synology-api": [ + { + "advisory": "Synology-api 0.2.1 removes an unsecured certificate warning at login.", + "cve": "PVE-2021-40549", + "id": "pyup.io-40549", + "specs": [ + "<0.2.1" + ], + "v": "<0.2.1" + } + ], "synse": [ { "advisory": "Synse 2.1.2 updates dependencies to fix a security vulnerability. See: .", - "cve": null, + "cve": "PVE-2021-38512", "id": "pyup.io-38512", "specs": [ "<2.1.2" @@ -17733,7 +23155,7 @@ "tahoe-lafs": [ { "advisory": "tahoe-lafs before 1.2.0 doesn't make the immutable-file \"ciphertext hash tree\" mandatory.", - "cve": null, + "cve": "PVE-2021-26152", "id": "pyup.io-26152", "specs": [ "<1.2.0" @@ -17742,7 +23164,7 @@ }, { "advisory": "tahoe-lafs before 1.4.1 is vulnerable to timing attacks due to our use of strcmp against the write-enabler.", - "cve": null, + "cve": "PVE-2021-26153", "id": "pyup.io-26153", "specs": [ "<1.4.1" @@ -17751,7 +23173,7 @@ }, { "advisory": "tahoe-lafs before 1.8.3 has a flaw that would allow a person who knows a storage index of a file to delete shares of that file.", - "cve": null, + "cve": "PVE-2021-26154", "id": "pyup.io-26154", "specs": [ "<1.8.3" @@ -17760,7 +23182,7 @@ }, { "advisory": "tahoe-lafs before 1.9.1 has a flaw that would allow servers to cause undetected corruption when\r\n retrieving the contents of mutable files (both SDMF and MDMF).", - "cve": null, + "cve": "PVE-2021-26155", "id": "pyup.io-26155", "specs": [ "<1.9.1" @@ -17768,21 +23190,52 @@ "v": "<1.9.1" } ], + "tapestry": [ + { + "advisory": "Tapestry 1.1.0 closed the security issue which could result in recovery from unauthenticated blocks without warning the user.", + "cve": "PVE-2021-39374", + "id": "pyup.io-39374", + "specs": [ + "<1.1.0" + ], + "v": "<1.1.0" + } + ], + "tapipy": [ + { + "advisory": "Tapipy 0.3.10 removes the 'cyptography' package dependency as it had security flaws and was not used.", + "cve": "PVE-2021-40092", + "id": "pyup.io-40092", + "specs": [ + "<0.3.10" + ], + "v": "<0.3.10" + } + ], "taskcluster": [ { "advisory": "Taskcluster 24.1.3 fixes a possible XSS vulnerability with the lazylog viewer - see: http://bugzil.la/1605933", - "cve": null, + "cve": "PVE-2021-37675", "id": "pyup.io-37675", "specs": [ "<24.1.3" ], "v": "<24.1.3" + }, + { + "advisory": "in taskcluster 43.1.0 , the object service now serves `text/html` content with `Content-Disposition: attachment` to avoid security issues inherent in serving arbitrary HTML documents.", + "cve": "PVE-2021-40215", + "id": "pyup.io-40215", + "specs": [ + "<43.1.0" + ], + "v": "<43.1.0" } ], "tbats": [ { "advisory": "Tbats 1.0.7 upgrades its dependencies due to an vulnerability in Jinja2. In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.", - "cve": null, + "cve": "PVE-2021-37051", "id": "pyup.io-37051", "specs": [ "<1.0.7" @@ -17790,7 +23243,7 @@ "v": "<1.0.7" }, { - "advisory": "Tbats 1.0.8 upgrades its dependencies due to an vulnerability in urllib3. See CVE-2019-11324.", + "advisory": "Tbats 1.0.8 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-37336", "specs": [ @@ -17799,10 +23252,32 @@ "v": "<1.0.8" } ], + "td-ameritrade-python-api": [ + { + "advisory": "Td-ameritrade-python-api 0.3.2 no longer auto-generates 'credentials.json' in the utility folder out of a concern for security. Instead, the user must specify where they would like to cache their refresh token.", + "cve": "PVE-2021-39230", + "id": "pyup.io-39230", + "specs": [ + "<0.3.2" + ], + "v": "<0.3.2" + } + ], + "telegram-stats-bot": [ + { + "advisory": "Telegram-stats-bot 0.3.1 bumps crypography requirement to address a security vulnerability.", + "cve": "PVE-2021-39382", + "id": "pyup.io-39382", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], "telemeta": [ { "advisory": "telemeta before 1.4.31 has a undisclosed security vulnerability in TELEMETA_EXPORT_CACHE_DIR.", - "cve": null, + "cve": "PVE-2021-26156", "id": "pyup.io-26156", "specs": [ "<1.4.31" @@ -17813,7 +23288,7 @@ "teleserver": [ { "advisory": "Teleserver 2.2.0 increases the security by implementing better user verification. Now there are three ways of accessing teleserver: with GUI credentials, with service principal generated from system tab or with temporary token created via /login route of API.", - "cve": null, + "cve": "PVE-2021-38021", "id": "pyup.io-38021", "specs": [ "<2.2.0" @@ -17824,7 +23299,7 @@ "telnet": [ { "advisory": "telnet is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34985", "id": "pyup.io-34985", "specs": [ ">0", @@ -17836,7 +23311,7 @@ "tendenci": [ { "advisory": "Tendenci 11.0.1 patches a security hole in payments that could potentially expose user data.", - "cve": null, + "cve": "PVE-2021-38510", "id": "pyup.io-38510", "specs": [ "<11.0.1" @@ -17845,7 +23320,7 @@ }, { "advisory": "Tendenci 11.0.4 updates its requirements.txt to require django >=1.11.16 because there are vulnerabilities in Django 1.11.x before 1.11.15.", - "cve": null, + "cve": "PVE-2021-38940", "id": "pyup.io-38940", "specs": [ "<11.0.4" @@ -17854,7 +23329,7 @@ }, { "advisory": "tendenci 11.1.1 updates Django version to 1.11.20 to patch a security issue in django 1.11.18", - "cve": null, + "cve": "PVE-2021-36888", "id": "pyup.io-36888", "specs": [ "<11.1.1" @@ -17863,7 +23338,7 @@ }, { "advisory": "Tendenci 11.2.12 strips null bytes to avoid null byte injection attacks.", - "cve": null, + "cve": "PVE-2021-37350", "id": "pyup.io-37350", "specs": [ "<11.2.12" @@ -17872,7 +23347,7 @@ }, { "advisory": "Tendenci 11.2.8 upgrades bootstrap from 3.3.1 to 3.4.1. There are XSS vulnerabilities in version lower than 3.4.1.", - "cve": null, + "cve": "PVE-2021-37150", "id": "pyup.io-37150", "specs": [ "<11.2.8" @@ -17881,7 +23356,7 @@ }, { "advisory": "Tendenci 11.4.7 prevents unauthorized use of renewal URLs.", - "cve": null, + "cve": "PVE-2021-38509", "id": "pyup.io-38509", "specs": [ "<11.4.7" @@ -17890,7 +23365,7 @@ }, { "advisory": "Tendenci 11.4.9 handles the case in event registrations when management forms are tampered maliciously.", - "cve": null, + "cve": "PVE-2021-38939", "id": "pyup.io-38939", "specs": [ "<11.4.9" @@ -17899,7 +23374,7 @@ }, { "advisory": "Tendenci 12.0.5 removes .doc and .xls from the allowed file upload extensions for security reasons. Besides the general threats, determining the mime type for the .doc and .xls files (generated by old MS Word and MS Excel) requires feeding the entire file content due to their format not complying with the standard.", - "cve": null, + "cve": "PVE-2021-38274", "id": "pyup.io-38274", "specs": [ "<12.0.5" @@ -17908,7 +23383,7 @@ }, { "advisory": "Tendenci 12.2 updates Django version to 2.2.16, which fixes two security issues and two data loss bugs in version 2.2.15.", - "cve": null, + "cve": "PVE-2021-38767", "id": "pyup.io-38767", "specs": [ "<12.2" @@ -17917,7 +23392,7 @@ }, { "advisory": "Tendenci 12.3.1 fixes a potential HTML Injection and XSS vulnerability in a few areas of the admin backend.", - "cve": null, + "cve": "PVE-2021-38970", "id": "pyup.io-38970", "specs": [ "<12.3.1" @@ -17926,16 +23401,34 @@ }, { "advisory": "Tendenci 12.3.2 updates exports to prevent potential CSV injection in the exported CSV files.", - "cve": null, + "cve": "PVE-2021-38976", "id": "pyup.io-38976", "specs": [ "<12.3.2" ], "v": "<12.3.2" }, + { + "advisory": "Tendenci 12.4.13 upgrades the 'jQuery' from 3.4.1 to 3.6.0 to fix a XSS vulnerability in versions <3.5.0.", + "cve": "PVE-2021-40826", + "id": "pyup.io-40826", + "specs": [ + "<12.4.13" + ], + "v": "<12.4.13" + }, + { + "advisory": "Tendenci 12.4.8 updates the 'Pillow' dependency from 8.1.0 to 8.1.2 and tightens the security check for the password change page.", + "cve": "PVE-2021-40133", + "id": "pyup.io-40133", + "specs": [ + "<12.4.8" + ], + "v": "<12.4.8" + }, { "advisory": "Tendenci 7.4.0 disables GZipMiddleware to prevent BREACH attacks and prevents fraudulent simultaneous reuse of PayPal transactions.", - "cve": null, + "cve": "PVE-2021-35055", "id": "pyup.io-35055", "specs": [ "<7.4.0" @@ -17946,7 +23439,7 @@ "teneto": [ { "advisory": "In teneto 0.4.5, save_tenetobids_snapshot to export current teneto settings. save_to_pickle (and corresponding load function) have been removed as they are not secure.", - "cve": null, + "cve": "PVE-2021-37550", "id": "pyup.io-37550", "specs": [ "<0.4.5" @@ -17957,7 +23450,7 @@ "tensorflow": [ { "advisory": "tensorflow before 1.10.0 uses an insecure grpc dependency.", - "cve": null, + "cve": "PVE-2021-36375", "id": "pyup.io-36375", "specs": [ "<1.10.0" @@ -17966,16 +23459,34 @@ }, { "advisory": "Tensorflow 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", - "cve": null, + "cve": "PVE-2021-37167", "id": "pyup.io-37167", "specs": [ "<1.12.2" ], "v": "<1.12.2" }, + { + "advisory": "NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file. See CVE-2019-9635.", + "cve": "CVE-2019-9635", + "id": "pyup.io-40793", + "specs": [ + "<1.12.2" + ], + "v": "<1.12.2" + }, + { + "advisory": "In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case data_size and num_segments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. This is unlikely to be exploitable and was detected and fixed internally in TensorFlow 1.15 and 2.0. See CVE-2019-16778.", + "cve": "CVE-2019-16778", + "id": "pyup.io-40792", + "specs": [ + "<1.15" + ], + "v": "<1.15" + }, { "advisory": "The original changelog reads: \"Tensorflow 2.0 fixes a potential security vulnerability where decoding variant tensors from proto could result in heap out of bounds memory access.\" However, it was later confirmed that the fix was already included in 1.15 and later. See: .", - "cve": null, + "cve": "PVE-2021-37524", "id": "pyup.io-37524", "specs": [ "<1.15.0" @@ -17983,191 +23494,4297 @@ "v": "<1.15.0" }, { - "advisory": "tensorflow 1.15.3\r\n* Updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates `curl` to `7.69.1` to handle CVE-2019-15601\r\n* Updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, - "id": "pyup.io-38462", + "advisory": "Tensorflow 1.15.3 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-17190", + "id": "pyup.io-39842", "specs": [ "<1.15.3" ], "v": "<1.15.3" }, { - "advisory": "Tensorflow 1.15.2 and 2.0.1 update `sqlite3` to `3.30.01` to handle CVE-2019-19646, CVE-2019-19645 and CVE-2019-16168.", - "cve": "CVE-2019-19646, CVE-2019-19645, CVE-2019-16168", - "id": "pyup.io-38038", + "advisory": "Tensorflow 1.15.3 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-19664", + "id": "pyup.io-39846", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + "<1.15.3" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": "<1.15.3" }, { - "advisory": "In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. See: CVE-2020-5215.", - "cve": "CVE-2020-5215", - "id": "pyup.io-37776", + "advisory": "Tensorflow 1.15.3 includes a fix for CVE-2019-10099: Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.", + "cve": "CVE-2019-10099", + "id": "pyup.io-39843", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + "<1.15.3" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": "<1.15.3" }, { - "advisory": "Tensorflow 1.15.2 and 2.0.1 update `curl` to `7.66.0` to handle CVE-2019-5482 and CVE-2019-5481.", - "cve": "CVE-2019-5482, CVE-2019-5481", - "id": "pyup.io-38039", + "advisory": "Tensorflow 1.15.3 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19244", + "id": "pyup.io-39849", "specs": [ - ">=1.0,<1.15.2", - ">=2.0.0a0,<2.0.1" + "<1.15.3" ], - "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + "v": "<1.15.3" }, { - "advisory": "Tensorflow 1.15.2 and 2.0.1 fix a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault. \r\n\r\nBoth also update `curl` to `7.66.0` to address CVE-2019-5482 and CVE-2019-5481.\r\n\r\nBoth also update `sqlite3` to `3.30.01` to address CVE-2019-19645, CVE-2019-19646, CVE-2019-16168.", - "cve": "CVE-2020-5215, CVE-2019-5482, CVE-2019-5481, CVE-2019-19645, CVE-2019-19646, CVE-2019-16168", - "id": "pyup.io-38549", + "advisory": "Tensorflow 1.15.3 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-11770", + "id": "pyup.io-39841", "specs": [ - ">=1.0.0,<1.15.2" + "<1.15.3" ], - "v": ">=1.0.0,<1.15.2" + "v": "<1.15.3" }, { - "advisory": "Tensorflow 1.15.4:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38818", + "advisory": "Tensorflow 1.15.3 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-39844", "specs": [ - ">=1.15.0rc0,<1.15.4" + "<1.15.3" ], - "v": ">=1.15.0rc0,<1.15.4" + "v": "<1.15.3" }, { - "advisory": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. See: CVE-2020-15207.", - "cve": "CVE-2020-15207", - "id": "pyup.io-38824", + "advisory": "Tensorflow 1.15.3 updates `curl` to `7.69.1` to handle CVE-2019-15601.", + "cve": "CVE-2019-15601", + "id": "pyup.io-39847", "specs": [ - ">=1.15.0rc0,<1.15.4", - ">=2.0.0a0,<2.0.3", - ">=2.1.0rc0,<2.1.2", - ">=2.2.0rc0,<2.2.1", - ">=2.3.0rc0,<2.3.1" + "<1.15.3" ], - "v": ">=1.15.0rc0,<1.15.4,>=2.0.0a0,<2.0.3,>=2.1.0rc0,<2.1.2,>=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + "v": "<1.15.3" }, { - "advisory": "Tensorflow 1.15.2 and 2.0.1 fix a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault. \r\n\r\nBoth also update `curl` to `7.66.0` to address CVE-2019-5482 and CVE-2019-5481.\r\n\r\nBoth also update `sqlite3` to `3.30.01` to address CVE-2019-19645, CVE-2019-19646, CVE-2019-16168.", - "cve": "CVE-2020-5215, CVE-2019-5482, CVE-2019-5481, CVE-2019-19645, CVE-2019-19646, CVE-2019-16168", - "id": "pyup.io-38550", + "advisory": "Tensorflow 1.15.3 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-20330", + "id": "pyup.io-39845", "specs": [ - ">=2.0.0a0,<2.0.1" + "<1.15.3" ], - "v": ">=2.0.0a0,<2.0.1" + "v": "<1.15.3" }, { - "advisory": "tensorflow 2.0.2\r\n* Updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates `curl` to `7.69.1` to handle CVE-2019-15601\r\n* Updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, - "id": "pyup.io-38461", + "advisory": "Tensorflow 1.15.3 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19880", + "id": "pyup.io-38462", "specs": [ - ">=2.0.0a0,<2.0.2" + "<1.15.3" ], - "v": ">=2.0.0a0,<2.0.2" + "v": "<1.15.3" }, { - "advisory": "Tensorflow 2.0.3:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38817", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26266", + "id": "pyup.io-39748", "specs": [ - ">=2.0.0a0,<2.0.3" + "<1.15.5" ], - "v": ">=2.0.0a0,<2.0.3" + "v": "<1.15.5" }, { - "advisory": "Tensorflow 2.1.2\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38816", + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39750", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-13790", + "id": "pyup.io-39751", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39410", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26271", + "id": "pyup.io-39743", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26270", + "id": "pyup.io-39745", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26268", + "id": "pyup.io-39746", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow 1.15.5 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26267", + "id": "pyup.io-39747", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0. See CVE-2020-26268.", + "cve": "CVE-2020-26268", + "id": "pyup.io-39265", + "specs": [ + "<1.15.5", + ">=2.0.0a0,<2.0.4", + ">=2.1.0rc0,<2.1.3", + ">=2.2.0rc0,<2.2.2", + ">=2.3.0rc0,<2.3.2", + ">=2.4.0rc0,<2.4.0", + ">=2.4.0rc0,<=2.4.0rc4" + ], + "v": "<1.15.5,>=2.0.0a0,<2.0.4,>=2.1.0rc0,<2.1.3,>=2.2.0rc0,<2.2.2,>=2.3.0rc0,<2.3.2,>=2.4.0rc0,<2.4.0,>=2.4.0rc0,<=2.4.0rc4" + }, + { + "advisory": "Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent. See CVE-2018-7576.", + "cve": "CVE-2018-7576", + "id": "pyup.io-40789", + "specs": [ + "<1.6.0a1" + ], + "v": "<1.6.0a1" + }, + { + "advisory": "TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc. See CVE-2018-21233.", + "cve": "CVE-2018-21233", + "id": "pyup.io-40787", + "specs": [ + "<1.7.0" + ], + "v": "<1.7.0" + }, + { + "advisory": "Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent. See CVE-2018-7575.", + "cve": "CVE-2018-7575", + "id": "pyup.io-40788", + "specs": [ + "<1.7.0a1" + ], + "v": "<1.7.0a1" + }, + { + "advisory": "Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory. See CVE-2018-7577.", + "cve": "CVE-2018-7577", + "id": "pyup.io-40790", + "specs": [ + "<1.7.1" + ], + "v": "<1.7.1" + }, + { + "advisory": "Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file. See CVE-2018-10055.", + "cve": "CVE-2018-10055", + "id": "pyup.io-40786", + "specs": [ + "<1.7.1" + ], + "v": "<1.7.1" + }, + { + "advisory": "In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. See CVE-2020-15266.", + "cve": "CVE-2020-15266", + "id": "pyup.io-40795", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + }, + { + "advisory": "In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. See CVE-2020-15265.", + "cve": "CVE-2020-15265", + "id": "pyup.io-40794", + "specs": [ + "<2.4.0" + ], + "v": "<2.4.0" + }, + { + "advisory": "Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). See CVE-2018-8825.", + "cve": "CVE-2018-8825", + "id": "pyup.io-40791", + "specs": [ + "<=1.7" + ], + "v": "<=1.7" + }, + { + "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to handle CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39570", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 1.15.2 and 2.0.1 updates 'sqlite3' to 3.30.01 to handle CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39569", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 1.15.2 and 2.0.1 update `curl` to `7.66.0` to handle CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-38039", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant(\"hello\", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0. See: CVE-2020-5215.", + "cve": "CVE-2020-5215", + "id": "pyup.io-37776", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 1.15.2 and 2.0.1 updates 'sqlite3' to 3.30.01 to handle CVE-2019-19646: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", + "cve": "CVE-2019-19646", + "id": "pyup.io-38038", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 1.15.2 and 2.0.1 updates 'sqlite3' to 3.30.01 to handle CVE-2019-16168: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", + "cve": "CVE-2019-16168", + "id": "pyup.io-39568", + "specs": [ + ">=1.0,<1.15.2", + ">=2.0.0a0,<2.0.1" + ], + "v": ">=1.0,<1.15.2,>=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to address CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39544", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Tensorflow 1.15.2 updates `curl` to `7.66.0` to address CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39545", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Tensorflow 1.15.2 fixes a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault.", + "cve": "CVE-2020-5215", + "id": "pyup.io-38549", + "specs": [ + ">=1.0.0,<1.15.2" + ], + "v": ">=1.0.0,<1.15.2" + }, + { + "advisory": "Tensorflow 1.15.4 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39988", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39989", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39992", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39994", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39995", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39996", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-11656: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39979", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38818", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13630", + "id": "pyup.io-39976", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39982", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-9327: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39981", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39983", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39984", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39985", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39986", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39987", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39990", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39991", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39993", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39973", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39977", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39978", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39975", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-13871: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39974", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "Tensorflow 1.15.4 includes a fix for CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39980", + "specs": [ + ">=1.15.0rc0,<1.15.4" + ], + "v": ">=1.15.0rc0,<1.15.4" + }, + { + "advisory": "In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, to mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds. If the `DCHECK` does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption. The issue is patched in commit 2d88f470dea2671b430884260f3626b1fe99830a, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. See: CVE-2020-15207.", + "cve": "CVE-2020-15207", + "id": "pyup.io-38824", + "specs": [ + ">=1.15.0rc0,<1.15.4", + ">=2.0.0a0,<2.0.3", + ">=2.1.0rc0,<2.1.2", + ">=2.2.0rc0,<2.2.1", + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=1.15.0rc0,<1.15.4,>=2.0.0a0,<2.0.3,>=2.1.0rc0,<2.1.2,>=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26271", + "id": "pyup.io-39735", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39409", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26270", + "id": "pyup.io-39736", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26268", + "id": "pyup.io-39737", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26267", + "id": "pyup.io-39738", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26266", + "id": "pyup.io-39739", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39741", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.0.4 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-13790", + "id": "pyup.io-39742", + "specs": [ + ">=2.0.0,<2.0.4" + ], + "v": ">=2.0.0,<2.0.4" + }, + { + "advisory": "Tensorflow 2.1.0 includes a fix for CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "cve": "CVE-2020-15250", + "id": "pyup.io-39740", + "specs": [ + ">=2.0.0,<2.1.0" + ], + "v": ">=2.0.0,<2.1.0" + }, + { + "advisory": "Tensorflow 2.0.1 updates `curl` to `7.66.0` to address CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39540", + "specs": [ + ">=2.0.0a0,<2.0.1" + ], + "v": ">=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 2.0.1 includes a fix for CVE-2019-19646: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", + "cve": "CVE-2019-19646", + "id": "pyup.io-39537", + "specs": [ + ">=2.0.0a0,<2.0.1" + ], + "v": ">=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 2.0.1 fixes a security vulnerability to address CVE-2020-5215 where converting a Python string to a `tf.float16` value produces a segmentation fault.", + "cve": "CVE-2020-5215", + "id": "pyup.io-38550", + "specs": [ + ">=2.0.0a0,<2.0.1" + ], + "v": ">=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 2.0.1 updates `curl` to `7.66.0` to address CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39539", + "specs": [ + ">=2.0.0a0,<2.0.1" + ], + "v": ">=2.0.0a0,<2.0.1" + }, + { + "advisory": "Tensorflow 2.0.2 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645", + "cve": "CVE-2019-19880", + "id": "pyup.io-38461", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.2 updates `sqlite3` to `3.31.01` to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645", + "cve": "CVE-2019-19244", + "id": "pyup.io-39818", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.2 updates `curl` to `7.69.1` to handle CVE-2019-15601", + "cve": "CVE-2019-15601", + "id": "pyup.io-39820", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "tensorflow 2.0.2 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960", + "cve": "CVE-2018-19664", + "id": "pyup.io-39821", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "tensorflow 2.0.2 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960", + "cve": "CVE-2018-20330", + "id": "pyup.io-39822", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.2 includes a fix for CVE-2019-10099: Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.", + "cve": "CVE-2019-10099", + "id": "pyup.io-39824", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "tensorflow 2.0.2 updates `libjpeg-turbo` to `2.0.4` to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960", + "cve": "CVE-2019-13960", + "id": "pyup.io-39823", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.2 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-17190", + "id": "pyup.io-39825", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.2 includes a fix for CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39819", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.2 updates Apache Spark to `2.4.5` to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", + "cve": "CVE-2018-11770", + "id": "pyup.io-39826", + "specs": [ + ">=2.0.0a0,<2.0.2" + ], + "v": ">=2.0.0a0,<2.0.2" + }, + { + "advisory": "Tensorflow 2.0.3 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13630", + "id": "pyup.io-39952", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39958", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39960", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39964", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39966", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39968", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39970", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39971", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39956", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38817", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-11656: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39955", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39959", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39961", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39962", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39963", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39965", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39967", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39969", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39972", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-9327: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39957", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39954", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39953", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39951", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-13871: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39950", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.3 includes a fix for CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39949", + "specs": [ + ">=2.0.0a0,<2.0.3" + ], + "v": ">=2.0.0a0,<2.0.3" + }, + { + "advisory": "Tensorflow 2.0.1 includes a fix for CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39848", + "specs": [ + ">=2.0.0rc0, <2.0.1" + ], + "v": ">=2.0.0rc0, <2.0.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates `libjpeg-turbo` to `2.0.4` to handle (CVE-2018-19664), (CVE-2018-20330) and (CVE-2019-13960).", + "cve": "CVE-2019-13960", + "id": "pyup.io-40008", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates `libjpeg-turbo` to `2.0.4` to handle (CVE-2018-19664), (CVE-2018-20330) and (CVE-2019-13960).", + "cve": "CVE-2018-20330", + "id": "pyup.io-40009", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 includes a fix for CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-40012", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates `sqlite3` to `3.31.01` to handle (CVE-2019-19880), (CVE-2019-19244) and (CVE-2019-19645).", + "cve": "CVE-2019-19244", + "id": "pyup.io-40013", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates `sqlite3` to `3.31.01` to handle (CVE-2019-19880), (CVE-2019-19244) and (CVE-2019-19645).", + "cve": "CVE-2019-19880", + "id": "pyup.io-38460", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 includes a fix for CVE-2019-10099: Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.", + "cve": "CVE-2019-10099", + "id": "pyup.io-40007", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates Apache Spark to `2.4.5` to handle (CVE-2019-10099), (CVE-2018-17190) and (CVE-2018-11770).", + "cve": "CVE-2018-11770", + "id": "pyup.io-40005", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates Apache Spark to `2.4.5` to handle (CVE-2019-10099), (CVE-2018-17190) and (CVE-2018-11770).", + "cve": "CVE-2018-17190", + "id": "pyup.io-40006", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates `libjpeg-turbo` to `2.0.4` to handle (CVE-2018-19664), (CVE-2018-20330) and (CVE-2019-13960).", + "cve": "CVE-2018-19664", + "id": "pyup.io-40010", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.1.1 updates `curl` to `7.69.1` to handle (CVE-2019-15601).", + "cve": "CVE-2019-15601", + "id": "pyup.io-40011", + "specs": [ + ">=2.1.0,<2.1.1" + ], + "v": ">=2.1.0,<2.1.1" + }, + { + "advisory": "Tensorflow 2.3.2 includes a fix for CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "cve": "CVE-2020-15250", + "id": "pyup.io-39999", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-40000", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271).", + "cve": "CVE-2020-26271", + "id": "pyup.io-40001", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267).", + "cve": "CVE-2020-26267", + "id": "pyup.io-40004", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 fixes an access to unitialized memory in Eigen code (CVE-2020-26266).", + "cve": "CVE-2020-26266", + "id": "pyup.io-39408", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39997", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39998", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270).", + "cve": "CVE-2020-26270", + "id": "pyup.io-40002", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.3 fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268).", + "cve": "CVE-2020-26268", + "id": "pyup.io-40003", + "specs": [ + ">=2.1.0,<2.1.3" + ], + "v": ">=2.1.0,<2.1.3" + }, + { + "advisory": "Tensorflow 2.1.2 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38816", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 updates `sqlite3` to `3.33.00` to handle (CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358).", + "cve": "CVE-2020-13630", + "id": "pyup.io-39928", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39934", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39935", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39937", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39938", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39943", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39944", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39947", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39948", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-11656: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39931", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39939", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39936", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39940", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39941", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39942", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39945", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39946", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-9327: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39933", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39925", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39929", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-13871: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39926", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.", + "cve": "CVE-2020-11655", + "id": "pyup.io-39932", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39927", + "specs": [ + ">=2.1.0rc0,<2.1.2" + ], + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Tensorflow 2.1.2 includes a fix for CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39930", "specs": [ ">=2.1.0rc0,<2.1.2" ], - "v": ">=2.1.0rc0,<2.1.2" + "v": ">=2.1.0rc0,<2.1.2" + }, + { + "advisory": "Due to lack of validation in `tf.raw_ops.SparseDenseCwiseMul`, an attacker can trigger denial of service via `CHECK`-fails or accesses to outside the bounds of heap allocated data. Since the implementation(https://github.com/tensorflow/tensorflow/blob/38178a2f7a681a7835bb0912702a134bfe3b4d84/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L68-L80) only validates the rank of the input arguments but no constraints between dimensions(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SparseDenseCwiseMul), an attacker can abuse them to trigger internal `CHECK` assertions (and cause program termination, denial of service) or to write to memory outside of bounds of heap allocated tensor buffers. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29567", + "id": "pyup.io-40469", + "specs": [ + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.5.0rc0,<2.5.0" + ], + "v": ">=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.5.0rc0,<2.5.0" + }, + { + "advisory": "Tensorflow 2.2.2 includes a fix for CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "cve": "CVE-2020-15250", + "id": "pyup.io-39732", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39407", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271).", + "cve": "CVE-2020-26271", + "id": "pyup.io-39727", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268).", + "cve": "CVE-2020-26268", + "id": "pyup.io-39729", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267).", + "cve": "CVE-2020-26267", + "id": "pyup.io-39730", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39733", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270).", + "cve": "CVE-2020-26270", + "id": "pyup.io-39728", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790.", + "cve": "CVE-2020-13790", + "id": "pyup.io-39734", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266).", + "cve": "CVE-2020-26266", + "id": "pyup.io-39731", + "specs": [ + ">=2.2.0,<2.2.2" + ], + "v": ">=2.2.0,<2.2.2" + }, + { + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", + "cve": "CVE-2020-13630", + "id": "pyup.io-39901", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15212", + "id": "pyup.io-39909", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39910", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39911", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39913", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39917", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39920", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39922", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39924", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38815", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 updates `sqlite3` to `3.33.00` to handle CVE-2020-1165: An elevation of privilege vulnerability exists when Windows improperly handles calls to Clipboard Service, aka 'Windows Clipboard Service Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1111, CVE-2020-1121, CVE-2020-1166.", + "cve": "CVE-2020-1165", + "id": "pyup.io-39905", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-11656: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", + "cve": "CVE-2020-11656", + "id": "pyup.io-39904", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15214", + "id": "pyup.io-39907", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15213", + "id": "pyup.io-39908", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39912", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39914", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39915", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39916", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39918", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39919", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39921", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39923", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.", + "cve": "CVE-2020-13434", + "id": "pyup.io-39903", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39898", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-13871: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", + "cve": "CVE-2020-13871", + "id": "pyup.io-39899", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.", + "cve": "CVE-2020-13435", + "id": "pyup.io-39902", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-9327: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "cve": "CVE-2020-9327", + "id": "pyup.io-39906", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "Tensorflow 2.2.1 includes a fix for CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", + "cve": "CVE-2020-13631", + "id": "pyup.io-39900", + "specs": [ + ">=2.2.0rc0,<2.2.1" + ], + "v": ">=2.2.0rc0,<2.2.1" + }, + { + "advisory": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1. See: CVE-2020-15193.", + "cve": "CVE-2020-15193", + "id": "pyup.io-38823", + "specs": [ + ">=2.2.0rc0,<2.2.1", + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2019-20838", + "id": "pyup.io-39406", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 includes a fix for CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "cve": "CVE-2020-15250", + "id": "pyup.io-39749", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 includes a fix for CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "cve": "CVE-2020-15250", + "id": "pyup.io-39724", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26271", + "id": "pyup.io-39719", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26270", + "id": "pyup.io-39720", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26268", + "id": "pyup.io-39721", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26267", + "id": "pyup.io-39722", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-26266", + "id": "pyup.io-39723", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-14155", + "id": "pyup.io-39725", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.2 fixes an access to unitialized memory in Eigen code (CVE-2020-26266). Fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267). Fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268). Fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270). Fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271). Updates 'libjpeg-turbo' to '2.0.5' to handle CVE-2020-13790. Updates 'junit' to '4.13.1' to handle [CVE-2020-15250]. Updates 'PCRE' to '8.44' to handle [CVE-2019-20838] and [CVE-2020-14155].", + "cve": "CVE-2020-13790", + "id": "pyup.io-39726", + "specs": [ + ">=2.3.0,<2.3.2" + ], + "v": ">=2.3.0,<2.3.2" + }, + { + "advisory": "Tensorflow 2.3.1 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39880", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39882", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39884", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39885", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202).", + "cve": "CVE-2020-15202", + "id": "pyup.io-39886", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39896", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15214", + "id": "pyup.io-39874", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15213", + "id": "pyup.io-39875", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15212", + "id": "pyup.io-39876", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39877", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39878", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39879", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39883", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39881", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15201", + "id": "pyup.io-39887", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15200", + "id": "pyup.io-39888", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15199", + "id": "pyup.io-39889", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15198", + "id": "pyup.io-39890", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15197", + "id": "pyup.io-39891", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15196", + "id": "pyup.io-39892", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39893", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39894", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39895", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39897", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38814", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.3.1 includes a fix for CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", + "cve": "CVE-2020-15358", + "id": "pyup.io-39873", + "specs": [ + ">=2.3.0rc0,<2.3.1" + ], + "v": ">=2.3.0rc0,<2.3.1" + }, + { + "advisory": "Tensorflow 2.4.0 fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190).", + "cve": "CVE-2020-15190", + "id": "pyup.io-38813", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15214", + "id": "pyup.io-39850", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15213", + "id": "pyup.io-39851", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214).", + "cve": "CVE-2020-15212", + "id": "pyup.io-39852", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15211", + "id": "pyup.io-39853", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15209", + "id": "pyup.io-39855", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208).", + "cve": "CVE-2020-15208", + "id": "pyup.io-39856", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207).", + "cve": "CVE-2020-15207", + "id": "pyup.io-39857", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206).", + "cve": "CVE-2020-15206", + "id": "pyup.io-39858", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205).", + "cve": "CVE-2020-15205", + "id": "pyup.io-39859", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204).", + "cve": "CVE-2020-15204", + "id": "pyup.io-39860", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203).", + "cve": "CVE-2020-15203", + "id": "pyup.io-39861", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15200", + "id": "pyup.io-39863", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15199", + "id": "pyup.io-39864", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15197", + "id": "pyup.io-39866", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15196", + "id": "pyup.io-39867", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15195", + "id": "pyup.io-39868", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15193", + "id": "pyup.io-39870", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15192", + "id": "pyup.io-39871", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193).", + "cve": "CVE-2020-15191", + "id": "pyup.io-39872", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211).", + "cve": "CVE-2020-15210", + "id": "pyup.io-39854", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15201", + "id": "pyup.io-39862", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201).", + "cve": "CVE-2020-15198", + "id": "pyup.io-39865", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "Tensorflow 2.4.0 fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195).", + "cve": "CVE-2020-15194", + "id": "pyup.io-39869", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched. See CVE-2020-26269.", + "cve": "CVE-2020-26269", + "id": "pyup.io-40796", + "specs": [ + ">=2.4.0rc0,<2.4.0" + ], + "v": ">=2.4.0rc0,<2.4.0" + }, + { + "advisory": "The implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_length` and wider datatypes. The implementation of the padded version(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules. First, the code computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the `fixed_length` value to the size of the type argument. The `fixed_length` argument is also used to determine the size needed for the output tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79). This is followed by reencoding code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94). The erroneous code is the last line above: it is moving the `out_data` pointer by `fixed_length * sizeof(T)` bytes whereas it only copied at most `fixed_length` bytes from the input. This results in parts of the input not being decoded into the output. Furthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29614", + "id": "pyup.io-40472", + "specs": [ + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4", + ">=2.5.0rc0,<2.5.0" + ], + "v": ">=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4,>=2.5.0rc0,<2.5.0" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a 'CHECK'-fail in 'AddManySparseToTensorsMap'. See CVE-2021-29523.", + "cve": "CVE-2021-29523", + "id": "pyup.io-40682", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a division by 0 in 'Conv2DBackpropInput'. See CVE-2021-29525.", + "cve": "CVE-2021-29525", + "id": "pyup.io-40684", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a 'CHECK'-fail in 'SparseCross' caused by type confusion. See CVE-2021-29519.", + "cve": "CVE-2021-29519", + "id": "pyup.io-40678", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a division by 0 in 'Conv3DBackprop*'. See CVE-2021-29522.", + "cve": "CVE-2021-29522", + "id": "pyup.io-40681", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a division by 0 in 'Conv2DBackpropFilter'. See CVE-2021-29524.", + "cve": "CVE-2021-29524", + "id": "pyup.io-40683", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a heap buffer overflow in 'Conv3DBackprop*'. See CVE-2021-29520.", + "cve": "CVE-2021-29520", + "id": "pyup.io-40680", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a segfault in 'SparseCountSparseOutput'. See CVE-2021-29521.", + "cve": "CVE-2021-29521", + "id": "pyup.io-40679", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29532: TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to `tf.raw_ops.RaggedCross`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) lacks validation for the user supplied arguments. Each of the above branches call a helper function after accessing array elements via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index. However, as there is no validation that the `next_*` values are in the valid range for the corresponding `*_list` arrays, this results in heap OOB reads. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29532", + "id": "pyup.io-40691", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29539: TensorFlow is an end-to-end open source platform for machine learning. Calling `tf.raw_ops.ImmutableConst`(https://www.tensorflow.org/api_docs/python/tf/raw_ops/ImmutableConst) with a `dtype` of `tf.resource` or `tf.variant` results in a segfault in the implementation as code assumes that the tensor contents are pure scalars. We have patched the issue in 4f663d4b8f0bec1b48da6fa091a7d29609980fa4 and will release TensorFlow 2.5.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. If using `tf.raw_ops.ImmutableConst` in code, you can prevent the segfault by inserting a filter for the `dtype` argument.", + "cve": "CVE-2021-29539", + "id": "pyup.io-40467", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29534: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.SparseConcat`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76) takes the values specified in `shapes[0]` as dimensions for the output shape. The `TensorShape` constructor(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when `InitDims`(https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status. This is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29534", + "id": "pyup.io-40694", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29533: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK` failure by passing an empty image to `tf.raw_ops.DrawBoundingBoxes`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165) uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the user, the `CHECK_*` macros result in a crash if the condition is false, similar to `assert`. In this case, `height` is 0 from the `images` input. This results in `max_box_row_clamp` being negative and the assertion being falsified, followed by aborting program execution. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29533", + "id": "pyup.io-40692", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29537: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedResizeBilinear` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/50711818d2e61ccce012591eeb4fdf93a8496726/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L705-L706) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29537", + "id": "pyup.io-40695", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29513: TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. The conversion from Python array to C++ array(https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169) is vulnerable to a type confusion. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29513", + "id": "pyup.io-40465", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by invalid validation in 'SparseMatrixSparseCholesky'. See CVE-2021-29530.", + "cve": "CVE-2021-29530", + "id": "pyup.io-40688", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix fixes a heap buffer overflow caused by rounding. See CVE-2021-29529.", + "cve": "CVE-2021-29529", + "id": "pyup.io-40689", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail in 'tf.raw_ops.EncodePng'. See CVE-2021-29531.", + "cve": "CVE-2021-29531", + "id": "pyup.io-40690", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc) does not validate all constraints specified in the op's contract(https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29548", + "id": "pyup.io-40468", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29538: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a division by zero to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L513-L522) computes a divisor based on user provided data (i.e., the shape of the tensors given as arguments). If all shapes are empty then `work_unit_size` is 0. Since there is no check for this case before division, this results in a runtime exception, with potential to be abused for a denial of service. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29538", + "id": "pyup.io-40697", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a stack overflow in 'ParseAttrValue' with nested tensors. See CVE-2021-29615.", + "cve": "CVE-2021-29615", + "id": "pyup.io-40767", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29549: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295) computes a modulo operation without validating that the divisor is not zero. Since `vector_num_elements` is determined based on input shapes(https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544), a user can trigger scenarios where this quantity is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29549", + "id": "pyup.io-40706", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29552: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by controlling the values of `num_segments` tensor argument for `UnsortedSegmentJoin`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a2a607db15c7cd01d754d37e5448d72a13491bdb/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L93) assumes that the `num_segments` tensor is a valid scalar. Since the tensor is empty the `CHECK` involved in `.scalar()()` that checks that the number of elements is exactly 1 will be invalidated and this would result in process termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29552", + "id": "pyup.io-40710", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix vulnerabilities where session operations in eager mode lead to null pointer dereferences. See CVE-2021-29518.", + "cve": "CVE-2021-29518", + "id": "pyup.io-40677", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29535: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedMul` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290) assumes that the 4 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29535", + "id": "pyup.io-40693", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in 'StringNGrams'. See CVE-2021-29541.", + "cve": "CVE-2021-29541", + "id": "pyup.io-40700", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29536: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `QuantizedReshape` by passing in invalid thresholds for the quantization. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55) assumes that the 2 arguments are always valid scalars and tries to access the numeric value directly. However, if any of these tensors is empty, then `.flat()` is an empty buffer and accessing the element at position 0 results in overflow. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29536", + "id": "pyup.io-40696", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'StringNGrams'. See CVE-2021-29542.", + "cve": "CVE-2021-29542", + "id": "pyup.io-40699", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29543: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.CTCGreedyDecoder`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1615440b17b364b875eb06f43d087381f1460a65/tensorflow/core/kernels/ctc_decoder_ops.cc#L37-L50) has a `CHECK_LT` inserted to validate some invariants. When this condition is false, the program aborts, instead of returning a valid error to the user. This abnormal termination can be weaponized in denial of service attacks. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29543", + "id": "pyup.io-40702", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29544: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.QuantizeAndDequantizeV4Grad`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L162-L163) does not validate the rank of the `input_*` tensors. In turn, this results in the tensors being passes as they are to `QuantizeAndDequantizePerChannelGradientImpl`(https://github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.h#L295-L306). However, the `vec` method, requires the rank to 1 and triggers a `CHECK` failure otherwise. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 as this is the only other affected version.", + "cve": "CVE-2021-29544", + "id": "pyup.io-40701", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29540: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow to occur in `Conv2DBackpropFilter`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497) computes the size of the filter tensor but does not validate that it matches the number of elements in `filter_sizes`. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29540", + "id": "pyup.io-40698", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.1.0rc0,<2.1.4", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.1.0rc0,<2.1.4,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 update 'curl' to '7.76.0' to handle CVE-2020-8169.", + "cve": "CVE-2020-8169", + "id": "pyup.io-40772", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix fixes a null pointer dereference via invalid Ragged Tensors. See CVE-2021-29516.", + "cve": "CVE-2021-29516", + "id": "pyup.io-40675", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in 'Conv3D'. See CVE-2021-29517.", + "cve": "CVE-2021-29517", + "id": "pyup.io-40676", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2 and 2.5.0 fix a reference binding to null pointer in 'MatrixDiag*' ops. See CVE-2021-29515.", + "cve": "CVE-2021-29515", + "id": "pyup.io-40673", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's convolution code. See CVE-2021-29594.", + "cve": "CVE-2021-29594", + "id": "pyup.io-40747", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.2.0rc0,<2.2.3", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.2.0rc0,<2.2.3,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'EmbeddingLookup'. See CVE-2021-29596.", + "cve": "CVE-2021-29596", + "id": "pyup.io-40748", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.2.0rc0,<2.2.3", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.2.0rc0,<2.2.3,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29558: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530) accesses an array element based on a user controlled offset. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29558", + "id": "pyup.io-40715", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4", + ">=2.4.0rc0,<2.4.2" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4,>=2.4.0rc0,<2.4.2" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29551: TensorFlow is an end-to-end open source platform for machine learning. The implementation of `MatrixTriangularSolve`(https://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrix_triangular_solve_op_impl.h#L160-L240) fails to terminate kernel execution if one validation condition fails. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29551", + "id": "pyup.io-40708", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29545: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in converting sparse tensors to CSR Sparse matrices. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e182dd4fba48295f65e7790739/tensorflow/core/kernels/sparse/kernels.cc#L66) does a double redirection to access an element of an array allocated on the heap. If the value at `indices(i, 0)` is such that `indices(i, 0) + 1` is outside the bounds of `csr_row_ptr`, this results in writing outside of bounds of heap allocated data. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29545", + "id": "pyup.io-40703", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in TFLite's 'Reshape' operator. See CVE-2021-29592.", + "cve": "CVE-2021-29592", + "id": "pyup.io-40744", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the `splits` tensor buffer in the implementation of the `RaggedBincount` op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L433). Before the `for` loop, `batch_idx` is set to 0. The user controls the `splits` array, making it contain only one element, 0. Thus, the code in the `while` loop would increment `batch_idx` and then try to read `splits(1)`, which is outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.", + "cve": "CVE-2021-29512", + "id": "pyup.io-40464", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a segfault in 'CTCBeamSearchDecoder'. See CVE-2021-29581.", + "cve": "CVE-2021-29581", + "id": "pyup.io-40734", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29617: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via `CHECK`-fail in `tf.strings.substr` with invalid arguments. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29617", + "id": "pyup.io-40770", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix an undefined behavior in 'MaxPool3DGradGrad'. See CVE-2021-29574.", + "cve": "CVE-2021-29574", + "id": "pyup.io-40728", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.3.0rc0,<2.3.3", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.3.0rc0,<2.3.3,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'tf.raw_ops.CTCLoss'. See CVE-2021-29613.", + "cve": "CVE-2021-29613", + "id": "pyup.io-40766", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29556: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.Reverse`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac14a8b1f4711c435a1d84a594/tensorflow/core/kernels/reverse_op.cc#L75-L76) performs a division based on the first dimension of the tensor argument. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29556", + "id": "pyup.io-40714", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'Conv2D'. See CVE-2021-29526.", + "cve": "CVE-2021-29526", + "id": "pyup.io-40685", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.1.0rc0,<2.1.4", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.1.0rc0,<2.1.4,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29595: TensorFlow is an end-to-end open source platform for machine learning. The implementation of the `DepthToSpace` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/depth_to_space.cc#L63-L69). An attacker can craft a model such that `params->block_size` is 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29595", + "id": "pyup.io-40746", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'QuantizedConv2D'. See CVE-2021-29527.", + "cve": "CVE-2021-29527", + "id": "pyup.io-40686", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail in 'LoadAndRemapMatrix'. See CVE-2021-29561.", + "cve": "CVE-2021-29561", + "id": "pyup.io-40718", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4", + ">=2.3.0rc0,<2.3.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4,>=2.3.0rc0,<2.3.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29585: TensorFlow is an end-to-end open source platform for machine learning. The TFLite computation for size of output after padding, `ComputeOutSize`(https://github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h#L43-L55), does not check that the `stride` argument is not 0 before doing the division. Users can craft special models such that `ComputeOutSize` is called with `stride` set to 0. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29585", + "id": "pyup.io-40738", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.2.0rc0,<2.2.3", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.2.0rc0,<2.2.3,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29589: TensorFlow is an end-to-end open source platform for machine learning. The reference implementation of the `GatherNd` TFLite operator is vulnerable to a division by zero error(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/reference_ops.h#L966). An attacker can craft a model such that `params` input would be an empty tensor. In turn, `params_shape.Dims(.)` would be zero, in at least one dimension. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29589", + "id": "pyup.io-40741", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29514: TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read from outside the bounds of the `splits` tensor buffer in the implementation of the `RaggedBincount` op(https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L446). Before the `for` loop, `batch_idx` is set to 0. The attacker sets `splits(0)` to be 7, hence the `while` loop does not execute and `batch_idx` remains 0. This then results in writing to `out(-1, bin)`, which is before the heap allocated buffer for the output tensor. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.", + "cve": "CVE-2021-29514", + "id": "pyup.io-40466", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'TransposeConv'. See CVE-2021-29588.", + "cve": "CVE-2021-29588", + "id": "pyup.io-40742", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'BandedTriangularSolve'. See CVE-2021-29612.", + "cve": "CVE-2021-29612", + "id": "pyup.io-40765", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'FusedBatchNorm'. See CVE-2021-29555.", + "cve": "CVE-2021-29555", + "id": "pyup.io-40712", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'SparseMatMul'. See CVE-2021-29557.", + "cve": "CVE-2021-29557", + "id": "pyup.io-40713", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB access in unicode ops. See CVE-2021-29559.", + "cve": "CVE-2021-29559", + "id": "pyup.io-40716", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap out of bounds read in 'MaxPoolGradWithArgmax'. See CVE-2021-29570.", + "cve": "CVE-2021-29570", + "id": "pyup.io-40724", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.1.0rc0,<2.1.4", + ">=2.2.0rc0,<2.2.3" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.1.0rc0,<2.1.4,>=2.2.0rc0,<2.2.3" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in 'EditDistance'. See CVE-2021-29564.", + "cve": "CVE-2021-29564", + "id": "pyup.io-40721", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29616: TensorFlow is an end-to-end open source platform for machine learning. The implementation of TrySimplify(https://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/grappler/optimizers/arithmetic_optimizer.cc#L390-L401) has undefined behavior due to dereferencing a null pointer in corner cases that result in optimizing a node with no inputs. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29616", + "id": "pyup.io-40768", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29547: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a segfault and denial of service via accessing data outside of bounds in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc#L176-L189) assumes the inputs are not empty. If any of these inputs is empty, `.flat()` is an empty buffer, so accessing the element at index 0 is accessing data outside of bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29547", + "id": "pyup.io-40705", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29610: TensorFlow is an end-to-end open source platform for machine learning. The validation in `tf.raw_ops.QuantizeAndDequantizeV2` allows invalid values for `axis` argument:. The validation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74-L77) uses `||` to mix two different conditions. If `axis_ < -1` the condition in `OP_REQUIRES` will still be true, but this value of `axis_` results in heap underflow. This allows attackers to read/write to other data on the heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29610", + "id": "pyup.io-40764", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29587: TensorFlow is an end-to-end open source platform for machine learning. The `Prepare` step of the `SpaceToDepth` TFLite operator does not check for 0 before division(https://github.com/tensorflow/tensorflow/blob/5f7975d09eac0f10ed8a17dbb6f5964977725adc/tensorflow/lite/kernels/space_to_depth.cc#L63-L67). An attacker can craft a model such that `params->block_size` would be zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29587", + "id": "pyup.io-40740", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29568: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger undefined behavior by binding to null pointer in `tf.raw_ops.ParameterizedTruncatedNormal`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630) does not validate input arguments before accessing the first element of `shape`. If `shape` argument is empty, then `shape_tensor.flat()` is an empty array. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29568", + "id": "pyup.io-40723", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29566: TensorFlow is an end-to-end open source platform for machine learning. An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to `tf.raw_ops.Dilation2DBackpropInput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/afd954e65f15aea4d438d0a219136fc4a63a573d/tensorflow/core/kernels/dilation_ops.cc#L321-L322) does not validate before writing to the output array. The values for `h_out` and `w_out` are guaranteed to be in range for `out_backprop` (as they are loop indices bounded by the size of the array). However, there are no similar guarantees relating `h_in_max`/`w_in_max` and `in_backprop`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29566", + "id": "pyup.io-40722", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29563: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by exploiting a `CHECK`-failure coming from the implementation of `tf.raw_ops.RFFT`. Eigen code operating on an empty matrix can trigger on an assertion and will cause program termination. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29563", + "id": "pyup.io-40720", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29560: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a heap buffer overflow in `tf.raw_ops.RaggedTensorToTensor`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222) uses the same index to access two arrays in parallel. Since the user controls the shape of the input arguments, an attacker could trigger a heap OOB access when `parent_output_index` is shorter than `row_split`. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29560", + "id": "pyup.io-40717", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29550: TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in `tf.raw_ops.FractionalAvgPool`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89) computes a divisor quantity by dividing two user controlled values. The user controls the values of `input_size[i]` and `pooling_ratio_[i]` (via the `value.shape()` and `pooling_ratio` arguments). If the value in `input_size[i]` is smaller than the `pooling_ratio_[i]`, then the floor operation results in `output_size[i]` being 0. The `DCHECK_GT` line is a no-op outside of debug mode, so in released versions of TF this does not trigger. Later, these computed values are used as arguments(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99) to `GeneratePoolingSequence`(https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108). There, the first computation is a division in a modulo operation. Since `output_length` can be 0, this results in runtime crashing. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29550", + "id": "pyup.io-40707", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix an undefined behavior and a 'CHECK'-fail in 'FractionalMaxPoolGrad'. See CVE-2021-29580.", + "cve": "CVE-2021-29580", + "id": "pyup.io-40731", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'FractionalAvgPoolGrad'. See CVE-2021-29578.", + "cve": "CVE-2021-29578", + "id": "pyup.io-40732", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'MaxPoolGrad'. See CVE-2021-29579.", + "cve": "CVE-2021-29579", + "id": "pyup.io-40733", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB read in 'tf.raw_ops.Dequantize'. See CVE-2021-29582.", + "cve": "CVE-2021-29582", + "id": "pyup.io-40735", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail due to integer overflow. See CVE-2021-29584.", + "cve": "CVE-2021-29584", + "id": "pyup.io-40736", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29583: TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.FusedBatchNorm` is vulnerable to a heap buffer overflow. If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers. The implementation(https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1365f19adcce848dfc1bf89fdd4c7/tensorflow/core/kernels/fused_batch_norm_op.cc) fails to validate that `scale`, `offset`, `mean` and `variance` (the last two only when required) all have the same number of elements as the number of channels of `x`. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary. If the tensors are empty, the validation mentioned in the above paragraph would also trigger and prevent the undefined behavior. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29583", + "id": "pyup.io-40737", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in optimized pooling implementations in TFLite. See CVE-2021-29586.", + "cve": "CVE-2021-29586", + "id": "pyup.io-40739", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB read in TFLite's implementation of 'Minimum' or 'Maximum'. See CVE-2021-29590.", + "cve": "CVE-2021-29590", + "id": "pyup.io-40743", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a stack overflow due to looping TFLite subgraph. See CVE-2021-29591.", + "cve": "CVE-2021-29591", + "id": "pyup.io-40745", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'QuantizedMul'. See CVE-2021-29528.", + "cve": "CVE-2021-29528", + "id": "pyup.io-40687", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'BatchToSpaceNd'. See CVE-2021-29593.", + "cve": "CVE-2021-29593", + "id": "pyup.io-40749", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'SpaceToBatchNd'. See CVE-2021-29597.", + "cve": "CVE-2021-29597", + "id": "pyup.io-40750", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'SVDF'. See CVE-2021-29598.", + "cve": "CVE-2021-29598", + "id": "pyup.io-40751", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'Split'. See CVE-2021-29599.", + "cve": "CVE-2021-29599", + "id": "pyup.io-40752", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'OneHot'. See CVE-2021-29600.", + "cve": "CVE-2021-29600", + "id": "pyup.io-40753", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of 'DepthwiseConv'. See CVE-2021-29602.", + "cve": "CVE-2021-29602", + "id": "pyup.io-40754", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by zero in TFLite's implementation of hashtable lookup. See CVE-2021-29604.", + "cve": "CVE-2021-29604", + "id": "pyup.io-40755", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a integer overflow in TFLite concatentation. See CVE-2021-29601.", + "cve": "CVE-2021-29601", + "id": "pyup.io-40756", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a integer overflow in TFLite memory allocation. See CVE-2021-29605.", + "cve": "CVE-2021-29605", + "id": "pyup.io-40757", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB write in TFLite. See CVE-2021-29603.", + "cve": "CVE-2021-29603", + "id": "pyup.io-40758", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix fixes a heap OOB read in TFLite. See CVE-2021-29606.", + "cve": "CVE-2021-29606", + "id": "pyup.io-40759", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29608: TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don't prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29608", + "id": "pyup.io-40760", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'SparseAdd'. See CVE-2021-29609.", + "cve": "CVE-2021-29609", + "id": "pyup.io-40761", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'SparseSparseMinimum'. See CVE-2021-29607.", + "cve": "CVE-2021-29607", + "id": "pyup.io-40762", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix vulnerabilities caused by incomplete validation in 'SparseReshape'. See CVE-2021-29611.", + "cve": "CVE-2021-29611", + "id": "pyup.io-40763", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29546: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger an integer division by zero undefined behavior in `tf.raw_ops.QuantizedBiasAdd`. This is because the implementation of the Eigen kernel(https://github.com/tensorflow/tensorflow/blob/61bca8bd5ba8a68b2d97435ddfafcdf2b85672cd/tensorflow/core/kernels/quantization_utils.h#L812-L849) does a division by the number of elements of the smaller input (based on shape) without checking that this is not zero. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29546", + "id": "pyup.io-40704", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29618: TensorFlow is an end-to-end open source platform for machine learning. Passing a complex argument to `tf.transpose` at the same time as passing `conjugate=True` argument results in a crash. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29618", + "id": "pyup.io-40769", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap OOB in 'QuantizeAndDequantizeV3'. See CVE-2021-29553.", + "cve": "CVE-2021-29553", + "id": "pyup.io-40709", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a segfault in 'tf.raw_ops.SparseCountSparseOutput'. See CVE-2021-29619.", + "cve": "CVE-2021-29619", + "id": "pyup.io-40771", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'DenseCountSparseOutput'. See CVE-2021-29554.", + "cve": "CVE-2021-29554", + "id": "pyup.io-40711", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 update 'curl' to '7.76.0' to handle CVE-2020-8177.", + "cve": "CVE-2020-8177", + "id": "pyup.io-40773", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 include a fix for CVE-2020-8231: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.", + "cve": "CVE-2020-8231", + "id": "pyup.io-40774", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 updates 'curl' to '7.76.0' to handle CVE-2020-8284: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", + "cve": "CVE-2020-8284", + "id": "pyup.io-40775", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 updates 'curl' to '7.76.0' to handle CVE-2020-8286: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.", + "cve": "CVE-2020-8286", + "id": "pyup.io-40777", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a null pointer dereference in 'SparseFillEmptyRows'. See CVE-2021-29565.", + "cve": "CVE-2021-29565", + "id": "pyup.io-40778", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap out of bounds read in 'RequantizationRange'. See CVE-2021-29569.", + "cve": "CVE-2021-29569", + "id": "pyup.io-40725", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a 'CHECK'-fail in 'tf.raw_ops.IRFFT'. See CVE-2021-29562.", + "cve": "CVE-2021-29562", + "id": "pyup.io-40719", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix an overflow and a denial of service in 'tf.raw_ops.ReverseSequence'. See CVE-2021-29575.", + "cve": "CVE-2021-29575", + "id": "pyup.io-40726", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a division by 0 in 'MaxPoolGradWithArgmax'. See CVE-2021-29573.", + "cve": "CVE-2021-29573", + "id": "pyup.io-40727", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'MaxPool3DGradGrad'. See CVE-2021-29576.", + "cve": "CVE-2021-29576", + "id": "pyup.io-40729", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 fix a heap buffer overflow in 'AvgPool3DGrad'. See CVE-2021-29577.", + "cve": "CVE-2021-29577", + "id": "pyup.io-40730", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "Tensorflow 2.1.4, 2.2.3, 2.3.3, 2.4.2, and 2.5.0 includes a fix for CVE-2021-29571: TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The implementation(https://github.com/tensorflow/tensorflow/blob/31bd5026304677faa8a0b77602c6154171b9aec1/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L116-L130) assumes that the last element of `boxes` input is 4, as required by [the op](https://www.tensorflow.org/api_docs/python/tf/raw_ops/DrawBoundingBoxesV2). Since this is not checked attackers passing values less than 4 can write outside of bounds of heap allocated objects and cause memory corruption. If the last dimension in `boxes` is less than 4, accesses similar to `tboxes(b, bb, 3)` will access data outside of bounds. Further during code execution there are also writes to these indices. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29571", + "id": "pyup.io-40470", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + }, + { + "advisory": "The implementation of `tf.raw_ops.SdcaOptimizer` triggers undefined behavior due to dereferencing a null pointer. The implementation(https://github.com/tensorflow/tensorflow/blob/60a45c8b6192a4699f2e2709a2645a751d435cc3/tensorflow/core/kernels/sdca_internal.cc) does not validate that the user supplied arguments satisfy all constraints expected by the op(https://www.tensorflow.org/api_docs/python/tf/raw_ops/SdcaOptimizer). The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.", + "cve": "CVE-2021-29572", + "id": "pyup.io-40471", + "specs": [ + ">=2.5.0rc0,<2.5.0", + ">=2.4.0rc0,<2.4.2", + ">=2.3.0rc0,<2.3.3", + ">=2.2.0rc0,<2.2.3", + ">=2.1.0rc0,<2.1.4" + ], + "v": ">=2.5.0rc0,<2.5.0,>=2.4.0rc0,<2.4.2,>=2.3.0rc0,<2.3.3,>=2.2.0rc0,<2.2.3,>=2.1.0rc0,<2.1.4" + } + ], + "tensorflow-directml": [ + { + "advisory": "Tensorflow-directml 1.10.0 switches from an insecure gRPC dependency to a secure gRPC dependency.", + "cve": "PVE-2021-38781", + "id": "pyup.io-38781", + "specs": [ + "<1.10.0" + ], + "v": "<1.10.0" + }, + { + "advisory": "Tensorflow-directml 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", + "cve": "PVE-2021-38780", + "id": "pyup.io-38780", + "specs": [ + "<1.12.2" + ], + "v": "<1.12.2" + }, + { + "advisory": "Tensorflow-directml 1.12.3 updates 'sqlite' dependency to 3.28.0 to not be affected by CVE-2018-20505.", + "cve": "CVE-2018-20505", + "id": "pyup.io-39563", + "specs": [ + "<1.12.3" + ], + "v": "<1.12.3" + }, + { + "advisory": "Tensorflow-directml 1.12.3 updates 'png_archive' dependency to 1.6.37 to not be affected by CVE-2018-13785.", + "cve": "CVE-2018-13785", + "id": "pyup.io-39567", + "specs": [ + "<1.12.3" + ], + "v": "<1.12.3" + }, + { + "advisory": "Tensorflow-directml 1.12.3 updates 'png_archive' dependency to 1.6.37 to not be affected by CVE-2018-14048.", + "cve": "CVE-2018-14048", + "id": "pyup.io-39566", + "specs": [ + "<1.12.3" + ], + "v": "<1.12.3" + }, + { + "advisory": "Tensorflow-directml 1.12.3 updates 'sqlite' dependency to 3.28.0 to not be affected by CVE-2018-20346: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.", + "cve": "CVE-2018-20346", + "id": "pyup.io-39564", + "specs": [ + "<1.12.3" + ], + "v": "<1.12.3" + }, + { + "advisory": "Tensorflow-directml 1.12.3 updates 'sqlite' dependency to 3.28.0 to not be affected by CVE-2018-20506: SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.", + "cve": "CVE-2018-20506", + "id": "pyup.io-39565", + "specs": [ + "<1.12.3" + ], + "v": "<1.12.3" + }, + { + "advisory": "Tensorflow-directml 1.12.3 updates 'png_archive' dependency to 1.6.37 to not be affected by CVE-2019-7317: png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.", + "cve": "CVE-2019-7317", + "id": "pyup.io-39318", + "specs": [ + "<1.12.3" + ], + "v": "<1.12.3" + }, + { + "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates curl to 7.66.0 to handle CVE-2019-5481.", + "cve": "CVE-2019-5481", + "id": "pyup.io-39561", + "specs": [ + "<1.15.2" + ], + "v": "<1.15.2" + }, + { + "advisory": "Tensorflow-directml 1.15.2:\r\n* Updates curl to 7.66.0 to handle CVE-2019-5482.", + "cve": "CVE-2019-5482", + "id": "pyup.io-39562", + "specs": [ + "<1.15.2" + ], + "v": "<1.15.2" + }, + { + "advisory": "Tensorflow-directml 1.15.2 includes a fix for CVE-2019-19646: pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns.", + "cve": "CVE-2019-19646", + "id": "pyup.io-39560", + "specs": [ + "<1.15.2" + ], + "v": "<1.15.2" + }, + { + "advisory": "Tensorflow-directml 1.15.2 includes a fix for CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39559", + "specs": [ + "<1.15.2" + ], + "v": "<1.15.2" + }, + { + "advisory": "Tensorflow-directml 1.15.2:\r\n* Fixes a security vulnerability where converting a Python string to a tf.float16 value produces a segmentation fault. See CVE-2020-5215.", + "cve": "CVE-2020-5215", + "id": "pyup.io-38779", + "specs": [ + "<1.15.2" + ], + "v": "<1.15.2" + }, + { + "advisory": "Tensorflow-directml 1.15.2 updates 'sqlite' dependency to 3.30.01 to not be affected by CVE-2019-16168: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", + "cve": "CVE-2019-16168", + "id": "pyup.io-39558", + "specs": [ + "<1.15.2" + ], + "v": "<1.15.2" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-11770", + "id": "pyup.io-39833", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-20330", + "id": "pyup.io-39831", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 includes a fix for CVE-2019-10099: Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.", + "cve": "CVE-2019-10099", + "id": "pyup.io-39835", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow 1.15.3 includes a fix for CVE-2019-19645: alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.", + "cve": "CVE-2019-19645", + "id": "pyup.io-39828", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19880", + "id": "pyup.io-38778", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645.", + "cve": "CVE-2019-19244", + "id": "pyup.io-39827", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates curl to 7.69.1 to handle CVE-2019-15601.", + "cve": "CVE-2019-15601", + "id": "pyup.io-39829", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2019-13960", + "id": "pyup.io-39830", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960.", + "cve": "CVE-2018-19664", + "id": "pyup.io-39832", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.3 updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770.", + "cve": "CVE-2018-17190", + "id": "pyup.io-39834", + "specs": [ + "<1.15.3" + ], + "v": "<1.15.3" + }, + { + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-11656: In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.", + "cve": "CVE-2020-11656", + "id": "pyup.io-40363", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes an undefined behavior causing a segfault in 'tf.raw_ops.Switch'. See CVE-2020-15190.", + "cve": "CVE-2020-15190", + "id": "pyup.io-39317", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes three vulnerabilities in conversion to DLPack format. One them is CVE-2020-15191.", + "cve": "CVE-2020-15191", + "id": "pyup.io-40346", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes three vulnerabilities in conversion to DLPack format. One them is CVE-2020-15192.", + "cve": "CVE-2020-15192", + "id": "pyup.io-40347", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes three vulnerabilities in conversion to DLPack format. One them is CVE-2020-15193.", + "cve": "CVE-2020-15193", + "id": "pyup.io-40348", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes two vulnerabilities in 'SparseFillEmptyRowsGrad'. One of then is CVE-2020-15194.", + "cve": "CVE-2020-15194", + "id": "pyup.io-40349", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes two vulnerabilities in 'SparseFillEmptyRowsGrad'. One of then is CVE-2020-15195.", + "cve": "CVE-2020-15195", + "id": "pyup.io-40350", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes an integer truncation vulnerability in code using the work sharder API. See CVE-2020-15202.", + "cve": "CVE-2020-15202", + "id": "pyup.io-40351", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes a format string vulnerability in 'tf.strings.as_string'. See CVE-2020-15203.", + "cve": "CVE-2020-15203", + "id": "pyup.io-40352", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes segfault raised by calling session-only ops in eager mode. See CVE-2020-15204.", + "cve": "CVE-2020-15204", + "id": "pyup.io-40353", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes data leak and potential ASLR violation from 'tf.raw_ops.StringNGrams'. See CVE-2020-15205.", + "cve": "CVE-2020-15205", + "id": "pyup.io-40354", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes segfaults caused by incomplete 'SavedModel' validation. See CVE-2020-15206.", + "cve": "CVE-2020-15206", + "id": "pyup.io-40355", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 fixes a data corruption issue due to a bug in negative indexing support in TFLite. See CVE-2020-15207.", + "cve": "CVE-2020-15207", + "id": "pyup.io-40356", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" }, { - "advisory": "Tensorflow 2.2.1:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)\r\n* Updates `sqlite3` to `3.33.00` to handle CVE-2020-9327, CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13871, and CVE-2020-15358.", - "cve": null, - "id": "pyup.io-38815", + "advisory": "Tensorflow-directml 1.15.4 fixes a data corruption issue due to dimension mismatch in TFLite. See CVE-2020-15208.", + "cve": "CVE-2020-15208", + "id": "pyup.io-40357", "specs": [ - ">=2.2.0rc0,<2.2.1" + "<1.15.4" ], - "v": ">=2.2.0rc0,<2.2.1" + "v": "<1.15.4" }, { - "advisory": "In Tensorflow before versions 2.2.1 and 2.3.1, the implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a `reinterpret_cast` Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails. The issue is patched in commit 22e07fb204386768e5bcbea563641ea11f96ceb8 and is released in TensorFlow versions 2.2.1, or 2.3.1. See: CVE-2020-15193.", - "cve": "CVE-2020-15193", - "id": "pyup.io-38823", + "advisory": "Tensorflow-directml 1.15.4 fixes several vulnerabilities in TFLite saved model format. One of them is CVE-2020-15209.", + "cve": "CVE-2020-15209", + "id": "pyup.io-40358", "specs": [ - ">=2.2.0rc0,<2.2.1", - ">=2.3.0rc0,<2.3.1" + "<1.15.4" ], - "v": ">=2.2.0rc0,<2.2.1,>=2.3.0rc0,<2.3.1" + "v": "<1.15.4" }, { - "advisory": "Tensorflow 2.3.1:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201) \r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)\r\n* Updates `sqlite3` to `3.33.00` to handle (CVE-2020-15358)", - "cve": null, - "id": "pyup.io-38814", + "advisory": "Tensorflow-directml 1.15.4 fixes several vulnerabilities in TFLite saved model format. One of them is CVE-2020-15210.", + "cve": "CVE-2020-15210", + "id": "pyup.io-40359", "specs": [ - ">=2.3.0rc0,<2.3.1" + "<1.15.4" ], - "v": ">=2.3.0rc0,<2.3.1" + "v": "<1.15.4" }, { - "advisory": "Tensorflow 2.4.0:\r\n* Fixes an undefined behavior causing a segfault in `tf.raw_ops.Switch` (CVE-2020-15190)\r\n* Fixes three vulnerabilities in conversion to DLPack format (CVE-2020-15191, CVE-2020-15192, CVE-2020-15193)\r\n* Fixes two vulnerabilities in `SparseFillEmptyRowsGrad` (CVE-2020-15194, CVE-2020-15195)\r\n* Fixes several vulnerabilities in `RaggedCountSparseOutput` and `SparseCountSparseOutput` operations (CVE-2020-15196, CVE-2020-15197, CVE-2020-15198, CVE-2020-15199, CVE-2020-15200, CVE-2020-15201) \r\n* Fixes an integer truncation vulnerability in code using the work sharder API (CVE-2020-15202)\r\n* Fixes a format string vulnerability in `tf.strings.as_string` (CVE-2020-15203)\r\n* Fixes segfault raised by calling session-only ops in eager mode (CVE-2020-15204)\r\n* Fixes data leak and potential ASLR violation from `tf.raw_ops.StringNGrams` (CVE-2020-15205)\r\n* Fixes segfaults caused by incomplete `SavedModel` validation (CVE-2020-15206)\r\n* Fixes a data corruption due to a bug in negative indexing support in TFLite (CVE-2020-15207)\r\n* Fixes a data corruption due to dimension mismatch in TFLite (CVE-2020-15208)\r\n* Fixes several vulnerabilities in TFLite saved model format (CVE-2020-15209, CVE-2020-15210, CVE-2020-15211)\r\n* Fixes several vulnerabilities in TFLite implementation of segment sum (CVE-2020-15212, CVE-2020-15213, CVE-2020-15214)", - "cve": null, - "id": "pyup.io-38813", + "advisory": "Tensorflow-directml 1.15.4 fixes several vulnerabilities in TFLite saved model format. One of them is CVE-2020-15211.", + "cve": "CVE-2020-15211", + "id": "pyup.io-40360", "specs": [ - ">=2.4.0rc0,<2.4.0" + "<1.15.4" ], - "v": ">=2.4.0rc0,<2.4.0" - } - ], - "tensorflow-directml": [ + "v": "<1.15.4" + }, { - "advisory": "Tensorflow-directml 1.10.0 switches from an insecure gRPC dependency to a secure gRPC dependency.", - "cve": null, - "id": "pyup.io-38781", + "advisory": "Tensorflow-directml 1.15.4 updates 'sqlite3' to '3.33.00' to handle several CVEs. One of them is CVE-2020-13630.", + "cve": "CVE-2020-13630", + "id": "pyup.io-40366", "specs": [ - "<1.10.0" + "<1.15.4" ], - "v": "<1.10.0" + "v": "<1.15.4" }, { - "advisory": "Tensorflow-directml 1.12.2 fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.", - "cve": null, - "id": "pyup.io-38780", + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.", + "cve": "CVE-2020-11655", + "id": "pyup.io-40362", "specs": [ - "<1.12.2" + "<1.15.4" ], - "v": "<1.12.2" + "v": "<1.15.4" }, { - "advisory": "Tensorflow-directml 1.15.2:\r\n* Fixes a security vulnerability where converting a Python string to a tf.float16 value produces a segmentation fault. See CVE-2020-5215.\r\n* Updates curl to 7.66.0 to handle CVE-2019-5482 and CVE-2019-5481.\r\n* Updates sqlite3 to 3.30.01 to handle CVE-2019-19646, CVE-2019-19645 and CVE-2019-16168.", - "cve": "CVE-2020-5215, CVE-2019-5482, CVE-2019-5481, CVE-2019-19646, CVE-2019-19645, CVE-2019-16168", - "id": "pyup.io-38779", + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-9327: In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.", + "cve": "CVE-2020-9327", + "id": "pyup.io-40361", "specs": [ - "<1.15.2" + "<1.15.4" ], - "v": "<1.15.2" + "v": "<1.15.4" }, { - "advisory": "Tensorflow-directml 1.15.3:\r\n* Updates sqlite3 to 3.31.01 to handle CVE-2019-19880, CVE-2019-19244 and CVE-2019-19645\r\n* Updates curl to 7.69.1 to handle CVE-2019-15601\r\n* Updates libjpeg-turbo to 2.0.4 to handle CVE-2018-19664, CVE-2018-20330 and CVE-2019-13960\r\n* Updates Apache Spark to 2.4.5 to handle CVE-2019-10099, CVE-2018-17190 and CVE-2018-11770", - "cve": null, - "id": "pyup.io-38778", + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-13631: SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.", + "cve": "CVE-2020-13631", + "id": "pyup.io-40367", "specs": [ - "<1.15.3" + "<1.15.4" ], - "v": "<1.15.3" + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-13435: SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c.", + "cve": "CVE-2020-13435", + "id": "pyup.io-40365", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-13434: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c.", + "cve": "CVE-2020-13434", + "id": "pyup.io-40364", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-15358: In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.", + "cve": "CVE-2020-15358", + "id": "pyup.io-40369", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.4 includes a fix for CVE-2020-13871: SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.", + "cve": "CVE-2020-13871", + "id": "pyup.io-40368", + "specs": [ + "<1.15.4" + ], + "v": "<1.15.4" + }, + { + "advisory": "Tensorflow-directml 1.15.5 fixes an access to unitialized memory in the 'Eigen' code (CVE-2020-26266).", + "cve": "CVE-2020-26266", + "id": "pyup.io-40322", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 fixes a security vulnerability caused by lack of validation in 'tf.raw_ops.DataFormatVecPermute' and 'tf.raw_ops.DataFormatDimMap' (CVE-2020-26267).", + "cve": "CVE-2020-26267", + "id": "pyup.io-40333", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 fixes a vulnerability caused by attempting to write to immutable memory region in 'tf.raw_ops.ImmutableConst' (CVE-2020-26268).", + "cve": "CVE-2020-26268", + "id": "pyup.io-40334", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 fixes a 'CHECK'-fail in LSTM with zero-length input (CVE-2020-26270).", + "cve": "CVE-2020-26270", + "id": "pyup.io-40335", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 fixes a security vulnerability caused by accessing heap data outside of bounds when loading a specially crafted 'SavedModel' (CVE-2020-26271).", + "cve": "CVE-2020-26271", + "id": "pyup.io-40336", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 updates the 'libjpeg-turbo' dependency to 2.0.5 to handle a security vulnerability (CVE-2020-13790).", + "cve": "CVE-2020-13790", + "id": "pyup.io-40337", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 updates the 'PCRE' dependency to 8.44 to handle a security vulnerability (CVE-2019-20838).", + "cve": "CVE-2019-20838", + "id": "pyup.io-40339", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 updates the 'PCRE' dependency to 8.44 to handle a security vulnerability (CVE-2020-14155).", + "cve": "CVE-2020-14155", + "id": "pyup.io-40340", + "specs": [ + "<1.15.5" + ], + "v": "<1.15.5" + }, + { + "advisory": "Tensorflow-directml 1.15.5 includes a fix for CVE-2020-15250: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.", + "cve": "CVE-2020-15250", + "id": "pyup.io-40338", + "specs": [ + ">=1.15.0,<1.15.5" + ], + "v": ">=1.15.0,<1.15.5" } ], "tensorpy": [ { "advisory": "Tensorpy 1.5.0 bumps tensorflow to 1.15.4. Tensorflow versions before 1.15.4 are known to be affected by several CVEs.", - "cve": null, + "cve": "PVE-2021-38821", "id": "pyup.io-38821", "specs": [ "<1.5.0" @@ -18175,10 +27792,41 @@ "v": "<1.5.0" } ], + "termius": [ + { + "advisory": "Termius 1.2.13 removed storing of passwords and passphrases locally.", + "cve": "PVE-2021-39270", + "id": "pyup.io-39270", + "specs": [ + "<1.2.13" + ], + "v": "<1.2.13" + }, + { + "advisory": "Termius 1.2.15 fixes its dependency on a cryptography package that's vulnerable to Bleichenbacher timing attacks in the RSA decryption API.", + "cve": "PVE-2021-39250", + "id": "pyup.io-39250", + "specs": [ + "<1.2.15" + ], + "v": "<1.2.15" + } + ], + "tern": [ + { + "advisory": "Tern before version 2.5.0 includes the vulnerable dependency urllib3. See also CVE-2021-28363 and .", + "cve": "PVE-2021-40055", + "id": "pyup.io-40055", + "specs": [ + "<2.5.0" + ], + "v": "<2.5.0" + } + ], "textract": [ { "advisory": "textract before 1.5.0 doesn't properly uses subprocess.call.", - "cve": null, + "cve": "PVE-2021-26157", "id": "pyup.io-26157", "specs": [ "<1.5.0" @@ -18189,7 +27837,7 @@ "tf-encrypted": [ { "advisory": "Tf-encrypted 0.4.0 implements a cryptographically secure random numbers feature.", - "cve": null, + "cve": "PVE-2021-36687", "id": "pyup.io-36687", "specs": [ "<0.4.0" @@ -18198,7 +27846,7 @@ }, { "advisory": "Tf-encrypted before 0.5.1 did not include a secure version of `tf.negative`.", - "cve": null, + "cve": "PVE-2021-37058", "id": "pyup.io-37058", "specs": [ "<0.5.1" @@ -18207,7 +27855,7 @@ }, { "advisory": "Tf-encrypted 0.5.6 improves handling for cases where the secure random operation is not available.", - "cve": null, + "cve": "PVE-2021-37373", "id": "pyup.io-37373", "specs": [ "<0.5.6" @@ -18215,10 +27863,21 @@ "v": "<0.5.6" } ], + "tg": [ + { + "advisory": "Tg 0.1.3 makes 'file_path' setting in config file shell escaped for security reasons.", + "cve": "PVE-2021-40256", + "id": "pyup.io-40256", + "specs": [ + "<0.1.3" + ], + "v": "<0.1.3" + } + ], "thamos": [ { "advisory": "Thamos 0.1.0 uses yaml.safe_load for security reasons.", - "cve": null, + "cve": "PVE-2021-37295", "id": "pyup.io-37295", "specs": [ "<0.1.0" @@ -18226,10 +27885,32 @@ "v": "<0.1.0" } ], + "thefuck": [ + { + "advisory": "The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the \"undo archive operation\" feature.", + "cve": "CVE-2021-34363", + "id": "pyup.io-40651", + "specs": [ + "<3.31" + ], + "v": "<3.31" + } + ], + "thinc": [ + { + "advisory": "Thinc 8.0.4 starts to avoid the 'Pydantic' versions with security vulnerabilities.", + "cve": "PVE-2021-40660", + "id": "pyup.io-40660", + "specs": [ + "<8.0.4" + ], + "v": "<8.0.4" + } + ], "thorn": [ { "advisory": "thorn before 1.1.0 has several security vulnerabilities: Now provides HMAC signing by default, No longer dispatches webhooks to internal networks, Now only dispatches to HTTP and HTTPS URLs by default, Now only dispatches to ports 80 and 443 by default, Adds recipient validators", - "cve": null, + "cve": "PVE-2021-26158", "id": "pyup.io-26158", "specs": [ "<1.1.0" @@ -18240,7 +27921,7 @@ "thrift": [ { "advisory": "Thrift 0.11.0 improves SSL security by adding cross client checks to make sure SSLv3 protocol cannot be negotiated - see: https://issues.apache.org/jira/browse/THRIFT-4084", - "cve": null, + "cve": "PVE-2021-37644", "id": "pyup.io-37644", "specs": [ "<0.11.0" @@ -18249,7 +27930,7 @@ }, { "advisory": "Thrift 0.9 fixes a denial of Service attack in TBinaryProtocol.readString - see: https://issues.apache.org/jira/browse/THRIFT-2272", - "cve": null, + "cve": "PVE-2021-37646", "id": "pyup.io-37646", "specs": [ "<0.9" @@ -18258,7 +27939,7 @@ }, { "advisory": "Thrift 0.9.3 fixes:\r\n- C++ TSSLSocket shutdown delay/vulnerability - see: https://issues.apache.org/jira/browse/THRIFT-3061\r\n- Thrift C++ library SSL socket by default allows for unsecure SSLv3 negotiation - see: https://issues.apache.org/jira/browse/THRIFT-3164", - "cve": null, + "cve": "PVE-2021-37645", "id": "pyup.io-37645", "specs": [ "<0.9.3" @@ -18278,7 +27959,7 @@ "tiddlyweb": [ { "advisory": "tiddlyweb before 1.2.18 allowed empty passwords to authenticate.", - "cve": null, + "cve": "PVE-2021-26159", "id": "pyup.io-26159", "specs": [ "<1.2.18" @@ -18286,10 +27967,32 @@ "v": "<1.2.18" } ], + "time-series-metadata": [ + { + "advisory": "Time-series-metadata 0.1.1 updates dependencies to most current versions to fix security issue with the 'urllib3'.", + "cve": "PVE-2021-40376", + "id": "pyup.io-40376", + "specs": [ + "<0.1.1" + ], + "v": "<0.1.1" + } + ], + "timetagger": [ + { + "advisory": "Timetagger 21.3.3 improves the authentication system to make it more secure (can revoke access).", + "cve": "PVE-2021-40164", + "id": "pyup.io-40164", + "specs": [ + "<21.3.3" + ], + "v": "<21.3.3" + } + ], "tink": [ { "advisory": "The AES-CTR-HMAC-AEAD keys and the EncryptThenAuthenticate subtle implementation in tink versions before 1.4.0 may be vulnerable to chosen-ciphertext attacks. An attacker can generate ciphertexts that bypass the HMAC verification if and only if all of the following conditions are true:\r\n\r\n* Tink C++ is used on systems where size_t is a 32-bit integer. This is usually the case on 32-bit machines.\r\n* The attacker can specify long (>= 2^29 bytes ~ 536MB) associated data.", - "cve": null, + "cve": "PVE-2021-38579", "id": "pyup.io-38579", "specs": [ "<1.4.0" @@ -18300,7 +28003,7 @@ "tiny-gnupg": [ { "advisory": "Tiny-gnupg 0.3.0 overhauls the ``gen_key()`` which now creates a different set of default keys. It no longer creates one primary key which does certifying & signing, with one subkey which handles encryption. Instead, tiny-gnupg 0.3.0 creates one certifying primary key, with three subkeys, one each for handling encryption, authentication, & signing. This is a more theoretically secure default key setup, & represents a common best-practice.", - "cve": null, + "cve": "PVE-2021-37692", "id": "pyup.io-37692", "specs": [ "<0.3.0" @@ -18311,7 +28014,7 @@ "tinydb": [ { "advisory": "tinydb-serialization before 2.0.0 has an insecure implementation in ``ConcurrencyMiddleware``.", - "cve": null, + "cve": "PVE-2021-26160", "id": "pyup.io-26160", "specs": [ "<2.0.0" @@ -18319,6 +28022,17 @@ "v": "<2.0.0" } ], + "tksvg": [ + { + "advisory": "Tksvg 0.6 applies security patches 184 and 185.", + "cve": "PVE-2021-39839", + "id": "pyup.io-39839", + "specs": [ + "<0.6" + ], + "v": "<0.6" + } + ], "tlslite": [ { "advisory": "The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash).", @@ -18330,10 +28044,31 @@ "v": "<0.4.9" } ], + "tlslite-ng": [ + { + "advisory": "Tlslite-ng 0.7.6 includes a workaround for CVE-2020-26263 - Bleichenbacher oracle in RSA decryption. Please note that while the code was fortified, because of peculiarities of python, it's not possible to fully fix it. If you require resistance against side-channel attacks please use a different library.", + "cve": "CVE-2020-26263", + "id": "pyup.io-39321", + "specs": [ + "<0.7.6" + ], + "v": "<0.7.6" + }, + { + "advisory": "tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependent. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng. See CVE-2020-26263.", + "cve": "CVE-2020-26263", + "id": "pyup.io-39343", + "specs": [ + "<0.7.6", + ">=0.8.0-alpha1,<0.8.0-alpha39" + ], + "v": "<0.7.6,>=0.8.0-alpha1,<0.8.0-alpha39" + } + ], "tmc": [ { "advisory": "tmc 0.3.5 fixes a vulnerability where symlinks in zips could be used to read any file on the server where the server had read access.", - "cve": null, + "cve": "PVE-2021-34672", "id": "pyup.io-34672", "specs": [ "<0.3.5" @@ -18344,7 +28079,7 @@ "tmt": [ { "advisory": "Rmt 0.19 makes the discover step a little bit more secure.", - "cve": null, + "cve": "PVE-2021-38635", "id": "pyup.io-38635", "specs": [ "<0.19" @@ -18352,10 +28087,21 @@ "v": "<0.19" } ], + "toggl-to-sqlite": [ + { + "advisory": "Toggl-to-sqlite 0.3.1 this release removed the 'api_token' from the workspaces table. The presence of this field presented a security issue if a user published their 'SQLite' database to a public source (like 'Vercel').", + "cve": "PVE-2021-40617", + "id": "pyup.io-40617", + "specs": [ + "<0.3.1" + ], + "v": "<0.3.1" + } + ], "tomtoolkit": [ { "advisory": "Tomtoolkit 1.6.1 pins the Django version in order to address a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38397", "id": "pyup.io-38397", "specs": [ "<1.6.1" @@ -18364,7 +28110,7 @@ }, { "advisory": "Tomtoolkit 1.6.1alpha.1 is a pre-release that pins the Django version in order to address a security vulnerability.", - "cve": null, + "cve": "PVE-2021-38399", "id": "pyup.io-38399", "specs": [ "<1.6.1alpha.1" @@ -18386,7 +28132,7 @@ "tortoise-orm": [ { "advisory": "Tortoise-orm 0.15.23 fixes SQL injection issues in MySQL when using 'contains', 'starts_with' or 'ends_with' filters (and their case-insensitive counterparts).", - "cve": null, + "cve": "PVE-2021-38916", "id": "pyup.io-38916", "specs": [ "<0.15.23" @@ -18395,7 +28141,7 @@ }, { "advisory": "Tortoise-orm 0.16.6:\r\n- Fixed SQL injection issue in MySQL\r\n- Fixed SQL injection issues in MySQL when using ``contains``, ``starts_with`` or ``ends_with`` filters (and their case-insensitive counterparts)\r\n- Fixed malformed SQL for PostgreSQL and SQLite when using ``contains``, ``starts_with`` or ``ends_with`` filters (and their case-insensitive counterparts)", - "cve": null, + "cve": "PVE-2021-38196", "id": "pyup.io-38196", "specs": [ "<0.16.6" @@ -18406,7 +28152,7 @@ "tqdm": [ { "advisory": "The tqdm._version module in tqdm versions before 4.11.2 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.", - "cve": null, + "cve": "PVE-2021-34741", "id": "pyup.io-34741", "specs": [ "<4.11.2" @@ -18417,7 +28163,7 @@ "tracauthopenid": [ { "advisory": "tracauthopenid before 0.4.4 does not properly authorize if no email address was returned via AX or SREG, the ``email_white_list`` config option was being ignored. Now if ``email_white_list`` is set and no email address can be determined, authorization will be denied.", - "cve": null, + "cve": "PVE-2021-26162", "id": "pyup.io-26162", "specs": [ "<0.4.4" @@ -18425,10 +28171,21 @@ "v": "<0.4.4" } ], + "transformers": [ + { + "advisory": "Transformers 4.5.0 includes various vulnerability fixes.", + "cve": "PVE-2021-40187", + "id": "pyup.io-40187", + "specs": [ + "<4.5.0" + ], + "v": "<4.5.0" + } + ], "trash-cli": [ { "advisory": "trash-cli before 0.17.1.14 has a bug that causes trash-put to use $topdir/.Trash/UID trashcan even when it is not secure and $topdir/.Trash-UID should be used instead.", - "cve": null, + "cve": "PVE-2021-34319", "id": "pyup.io-34319", "specs": [ "<0.17.1.14" @@ -18439,7 +28196,7 @@ "trio-websockets": [ { "advisory": "trio-websockets before 5.0 was vulnerable to denial of service by memory exhaustion because it didn't enforce ``max_size`` when decompressing compressed messages.", - "cve": null, + "cve": "PVE-2021-36390", "id": "pyup.io-36390", "specs": [ "<5.0" @@ -18471,7 +28228,7 @@ "trosnoth": [ { "advisory": "trosnoth before 1.13.0 had insecure hard-coded server settings in the configuration file.", - "cve": null, + "cve": "PVE-2021-36954", "id": "pyup.io-36954", "specs": [ "<1.13.0" @@ -18482,7 +28239,7 @@ "trustpilot": [ { "advisory": "Trustpilot 6.1.0 includes security upgrades of the requests and urllib dependencies.", - "cve": null, + "cve": "PVE-2021-38105", "id": "pyup.io-38105", "specs": [ "<6.1.0" @@ -18515,7 +28272,7 @@ "ttrv": [ { "advisory": "Ttrv 1.12.1 fixes a security vulnerability where malicious URLs could inject python code.", - "cve": null, + "cve": "PVE-2021-38370", "id": "pyup.io-38370", "specs": [ "<1.12.1" @@ -18526,7 +28283,7 @@ "tuf": [ { "advisory": "Tuf 0.11.1 prevents a persistent freeze attack - see: https://github.com/theupdateframework/tuf/pull/737", - "cve": null, + "cve": "PVE-2021-36279", "id": "pyup.io-36279", "specs": [ "<0.11.1" @@ -18534,13 +28291,195 @@ "v": "<0.11.1" }, { - "advisory": "Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer. See: CVE-2020-15163.", - "cve": "CVE-2020-15163", - "id": "pyup.io-38769", + "advisory": "Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer. See: CVE-2020-15163.", + "cve": "CVE-2020-15163", + "id": "pyup.io-38769", + "specs": [ + "<0.12.dev0" + ], + "v": "<0.12.dev0" + } + ], + "tutor": [ + { + "advisory": "Tutor 10.0.5 applies upstream XSS security fixes for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40919", + "id": "pyup.io-40919", + "specs": [ + "<10.0.5" + ], + "v": "<10.0.5" + }, + { + "advisory": "Tutor 10.1.0 includes upstream XSS security fixes for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40918", + "id": "pyup.io-40918", + "specs": [ + "<10.1.0" + ], + "v": "<10.1.0" + }, + { + "advisory": "Tutor 10.2.0 includes a security patch for JavaScript code in the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40917", + "id": "pyup.io-40917", + "specs": [ + "<10.2.0" + ], + "v": "<10.2.0" + }, + { + "advisory": "Tutor 10.5.3 applies upstream security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40916", + "id": "pyup.io-40916", + "specs": [ + "<10.5.3" + ], + "v": "<10.5.3" + }, + { + "advisory": "Tutor 11.0.1 applies a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40915", + "id": "pyup.io-40915", + "specs": [ + "<11.0.1" + ], + "v": "<11.0.1" + }, + { + "advisory": "Tutor 11.0.6 applies a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40914", + "id": "pyup.io-40914", + "specs": [ + "<11.0.6" + ], + "v": "<11.0.6" + }, + { + "advisory": "Tutor 11.0.7 includes a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40913", + "id": "pyup.io-40913", + "specs": [ + "<11.0.7" + ], + "v": "<11.0.7" + }, + { + "advisory": "Tutor 11.1.1 includes a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40912", + "id": "pyup.io-40912", + "specs": [ + "<11.1.1" + ], + "v": "<11.1.1" + }, + { + "advisory": "Tutor 11.1.3 includes a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40911", + "id": "pyup.io-40911", + "specs": [ + "<11.1.3" + ], + "v": "<11.1.3" + }, + { + "advisory": "Tutor 11.1.4 applies a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40910", + "id": "pyup.io-40910", + "specs": [ + "<11.1.4" + ], + "v": "<11.1.4" + }, + { + "advisory": "Tutor 11.1.5 includes security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40909", + "id": "pyup.io-40909", + "specs": [ + "<11.1.5" + ], + "v": "<11.1.5" + }, + { + "advisory": "Tutor 11.2.10 applies security patches for the 'Django' dependency by upgrading from 2.2.20 to 2.2.23.", + "cve": "PVE-2021-40906", + "id": "pyup.io-40906", + "specs": [ + "<11.2.10" + ], + "v": "<11.2.10" + }, + { + "advisory": "Tutor 11.2.2 includes a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40908", + "id": "pyup.io-40908", + "specs": [ + "<11.2.2" + ], + "v": "<11.2.2" + }, + { + "advisory": "Tutor 11.2.7 applies a security patch for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40907", + "id": "pyup.io-40907", + "specs": [ + "<11.2.7" + ], + "v": "<11.2.7" + }, + { + "advisory": "Tutor 3.12.3 applies most recent security patches for the 'edx-platform' underlying dependency.", + "cve": "PVE-2021-40920", + "id": "pyup.io-40920", + "specs": [ + "<3.12.3" + ], + "v": "<3.12.3" + }, + { + "advisory": "Tutor 3.3.5 updates the 'Jinja2' underlying dependency to fix a security vulnerability.", + "cve": "PVE-2021-40925", + "id": "pyup.io-40925", + "specs": [ + "<3.3.5" + ], + "v": "<3.3.5" + }, + { + "advisory": "Tutor 3.5.2 applies certificate XSS security patch.", + "cve": "PVE-2021-40924", + "id": "pyup.io-40924", + "specs": [ + "<3.5.2" + ], + "v": "<3.5.2" + }, + { + "advisory": "Tutor 3.6.0 fixes insecure static asset loading when web proxy is enabled.", + "cve": "PVE-2021-40923", + "id": "pyup.io-40923", + "specs": [ + "<3.6.0" + ], + "v": "<3.6.0" + }, + { + "advisory": "Tutor 3.6.3 fixes the 'CustomTagModule' template injection.", + "cve": "PVE-2021-40922", + "id": "pyup.io-40922", + "specs": [ + "<3.6.3" + ], + "v": "<3.6.3" + }, + { + "advisory": "Tutor 3.9.0 includes security patches for the 'Django' underlying dependency (1.11.21 -> 1.11.27).", + "cve": "PVE-2021-40921", + "id": "pyup.io-40921", "specs": [ - "<0.12.dev0" + "<3.9.0" ], - "v": "<0.12.dev0" + "v": "<3.9.0" } ], "tweepy": [ @@ -18557,7 +28496,7 @@ "twilio": [ { "advisory": "twilio before 3.5.0 is vulnerable to a timing attack vector in signature validation.", - "cve": null, + "cve": "PVE-2021-26169", "id": "pyup.io-26169", "specs": [ "<3.5.0" @@ -18568,7 +28507,7 @@ "twine": [ { "advisory": "Twine 2.0.0 bumps requests to 2.20 (or later) to avoid reported security vulnerabilities in earlier releases (bug 491).", - "cve": null, + "cve": "PVE-2021-37504", "id": "pyup.io-37504", "specs": [ "<2.0.0" @@ -18576,6 +28515,17 @@ "v": "<2.0.0" } ], + "twirp": [ + { + "advisory": "A security vulnerability was discovered in twirp before 5.5.1 in the 'requirements.txt' file that is used to test Python-generated code, and could be used as sub-dependency checks for Python projects using Twirp.", + "cve": "PVE-2021-39334", + "id": "pyup.io-39334", + "specs": [ + "<5.5.1" + ], + "v": "<5.5.1" + } + ], "twisted": [ { "advisory": "Twisted Web 16.4.0 includes the following three security fixes:\r\n- A bug in twisted.web.server.Site.makeSession which may lead to predictable session IDs was fixed. Session IDs are now generated securely using `os.urandom`.\r\n- twisted.web.server.Request.getSession will now, for a request sent over HTTPS, set a \"Secure\" cookie, preventing the secure session from being sent over plain-text HTTP. \r\n- twisted.web.twcgi.CGIScript will now not pass the \"Proxy\" header to CGI scripts, as a mitigation to CVE-2016-1000111.", @@ -18588,16 +28538,25 @@ }, { "advisory": "In twisted Core 17.1.0, twisted.internet.ssl.CertificateOptions has the new constructor argument 'raiseMinimumTo', allowing you to increase the minimum TLS version to this version or Twisted's default, whichever is higher. The additional new constructor arguments 'lowerMaximumSecurityTo' and 'insecurelyLowerMinimumTo' allow finer grained control over negotiated versions that don't honour Twisted's defaults, for working around broken peers, at the cost of reducing the security of the TLS it will negotiate. (#6800)", - "cve": null, + "cve": "PVE-2021-34914", "id": "pyup.io-34914", "specs": [ "<17.1.0" ], "v": "<17.1.0" }, + { + "advisory": "In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. See: CVE-2020-10109.", + "cve": "CVE-2020-10109", + "id": "pyup.io-39557", + "specs": [ + "<19.10.0" + ], + "v": "<19.10.0" + }, { "advisory": "Before twisted 19.2.0, the twisted.web.client.Request and twisted.web.client.HTTPClient were both vulnerable to header injection attacks. They now replace linear whitespace ('\\r', '\\n', and '\\r\\n') with a single space. (#9421)", - "cve": null, + "cve": "PVE-2021-37040", "id": "pyup.io-37040", "specs": [ "<19.2.0" @@ -18623,8 +28582,8 @@ "v": "<19.7.0" }, { - "advisory": "In twisted before 20.3.0, twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108) and now fail with a 400; requests with a Content-Length header and a Transfer-Encoding header honored the first header (CVE-2020-10109) and now fail with a 400; requests whose Transfer-Encoding header had a value other than \"chunked\" and \"identity\" were allowed and now fail with a 400.", - "cve": "CVE-2020-10108,CVE-2020-10109", + "advisory": "In twisted before 20.3.0, twisted.web.http was subject to several request smuggling attacks. Requests with multiple Content-Length headers were allowed (CVE-2020-10108) and now fail with a 400.", + "cve": "CVE-2020-10108", "id": "pyup.io-38085", "specs": [ "<20.3.0" @@ -18635,7 +28594,7 @@ "twitchirc": [ { "advisory": "twitchirc before 1.3 does not include a secure option to [`Connection`](twitchirc/twitchirc/connection.py)", - "cve": null, + "cve": "PVE-2021-37820", "id": "pyup.io-37820", "specs": [ "<1.3" @@ -18646,7 +28605,7 @@ "twodolib": [ { "advisory": "Twodolib 0.5.1 updated its requirements for security reasons.", - "cve": null, + "cve": "PVE-2021-37306", "id": "pyup.io-37306", "specs": [ "<0.5.1" @@ -18679,7 +28638,7 @@ "typesense": [ { "advisory": "Typesense 0.13.0 allows one to generate API keys with fine-grained access control restrictions for better security.", - "cve": null, + "cve": "PVE-2021-38798", "id": "pyup.io-38798", "specs": [ "<0.13.0" @@ -18687,10 +28646,21 @@ "v": "<0.13.0" } ], + "uciparse": [ + { + "advisory": "Uciparse 0.1.9 updates build process to include security scans using Safety.", + "cve": "PVE-2021-39605", + "id": "pyup.io-39605", + "specs": [ + "<0.1.9" + ], + "v": "<0.1.9" + } + ], "udata": [ { "advisory": "Udata 1.6.16 prevents Google ranking spam attacks on reuse pages (`rel=nofollow` on reuse link) - see: https://github.com/opendatateam/udata/pull/2320", - "cve": null, + "cve": "PVE-2021-37589", "id": "pyup.io-37589", "specs": [ "<1.6.16" @@ -18699,7 +28669,7 @@ }, { "advisory": "Udata 2.0.2 disallow html tags in markdown-it (JS markdown rendering) for security reasons. See: .", - "cve": null, + "cve": "PVE-2021-38161", "id": "pyup.io-38161", "specs": [ "<2.0.2" @@ -18710,7 +28680,7 @@ "ugoira": [ { "advisory": "Ugoira 0.5.0 uses secure protocol (HTTPS) instead of naive (HTTP).", - "cve": null, + "cve": "PVE-2021-37200", "id": "pyup.io-37200", "specs": [ "<0.5.0" @@ -18718,10 +28688,21 @@ "v": "<0.5.0" } ], + "uiautomator2": [ + { + "advisory": "Uiautomator2 2.13.2 updates the 'atx-agent' dependency to fix a security error.", + "cve": "PVE-2021-41029", + "id": "pyup.io-41029", + "specs": [ + "<2.13.2" + ], + "v": "<2.13.2" + } + ], "unicef-locations": [ { "advisory": "unicef-locations 1.4.2 updates requirements, django security alert, and moved to psycopg2-binary", - "cve": null, + "cve": "PVE-2021-36717", "id": "pyup.io-36717", "specs": [ "<1.4.2" @@ -18732,7 +28713,7 @@ "unicef-rest-export": [ { "advisory": "unicef-rest-export 0.5.2 updates django and pyyaml requirements for security patches", - "cve": null, + "cve": "PVE-2021-36990", "id": "pyup.io-36990", "specs": [ "<0.5.2" @@ -18743,7 +28724,7 @@ "unleashclient": [ { "advisory": "unleashclient 1.0.2 updates requests version to address security issue in dependency.", - "cve": null, + "cve": "PVE-2021-36585", "id": "pyup.io-36585", "specs": [ "<1.0.2" @@ -18754,7 +28735,7 @@ "urlib3": [ { "advisory": "urlib3 is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34986", "id": "pyup.io-34986", "specs": [ ">0", @@ -18775,7 +28756,7 @@ }, { "advisory": "urllib is a package affected by pytosquatting: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/", - "cve": null, + "cve": "PVE-2021-34987", "id": "pyup.io-34987", "specs": [ ">0", @@ -18786,7 +28767,7 @@ ], "urllib3": [ { - "advisory": "urllib3 before 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.", + "advisory": "urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.", "cve": "CVE-2018-20060", "id": "pyup.io-36541", "specs": [ @@ -18795,7 +28776,7 @@ "v": "<1.23" }, { - "advisory": "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. See: CVE-2019-11324.", + "advisory": "The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-37071", "specs": [ @@ -18804,7 +28785,7 @@ "v": "<1.24.2" }, { - "advisory": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). See: CVE-2020-26137. (NOTE: this is similar to CVE-2020-26116.)", + "advisory": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). See: CVE-2020-26137. NOTE: this is similar to CVE-2020-26116.", "cve": "CVE-2020-26137", "id": "pyup.io-38834", "specs": [ @@ -18814,7 +28795,7 @@ }, { "advisory": "Urllib3 1.8 improves the default SSL/TLS settings to avoid vulnerabilities.", - "cve": null, + "cve": "PVE-2021-39094", "id": "pyup.io-39094", "specs": [ "<1.8" @@ -18822,7 +28803,7 @@ "v": "<1.8" }, { - "advisory": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. See: CVE-2019-11236.", + "advisory": "In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.", "cve": "CVE-2019-11236", "id": "pyup.io-37055", "specs": [ @@ -18832,7 +28813,7 @@ }, { "advisory": "Users who are using urllib3 version 1.17 or 1.18 along with PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This release fixes a vulnerability whereby urllib3 in the above configuration would silently fail to validate TLS certificates due to erroneously setting invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous flags do not cause a problem in OpenSSL versions before 1.1.0, which interprets the presence of any flag as requesting certificate validation.", - "cve": null, + "cve": "PVE-2021-26170", "id": "pyup.io-26170", "specs": [ "==1.17", @@ -18848,11 +28829,20 @@ ">=1.25.2,<=1.25.7" ], "v": ">=1.25.2,<=1.25.7" + }, + { + "advisory": "Urllib3 1.26.4 includes a fix for CVE-2021-28363: The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.", + "cve": "CVE-2021-28363", + "id": "pyup.io-40014", + "specs": [ + ">=1.26.0,<1.26.4" + ], + "v": ">=1.26.0,<1.26.4" } ], "uvicorn": [ { - "advisory": "This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). See: CVE-2020-7694.", + "advisory": "The request logger provided by Uvicorn prior to version 0.11.7 is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file). See: CVE-2020-7694.", "cve": "CVE-2020-7694", "id": "pyup.io-38664", "specs": [ @@ -18884,7 +28874,7 @@ "verifone": [ { "advisory": "verifone 0.1.8 updates Pipfiles and requirement files. There was security issue in PyYAML module.", - "cve": null, + "cve": "PVE-2021-36774", "id": "pyup.io-36774", "specs": [ "<0.1.8" @@ -18895,7 +28885,7 @@ "vermin": [ { "advisory": "Vermin 0.10.1 fixes the security advisory by upgrading bleach from 3.1.0 to 3.1.1.", - "cve": null, + "cve": "PVE-2021-38033", "id": "pyup.io-38033", "specs": [ "<0.10.1" @@ -18904,7 +28894,7 @@ }, { "advisory": "Vermin 0.10.2 upgrades bleach from 3.1.1 to 3.1.2 and 3.1.2 to 3.1.4 to fix a security advisory.", - "cve": null, + "cve": "PVE-2021-38692", "id": "pyup.io-38692", "specs": [ "<0.10.2" @@ -18913,7 +28903,7 @@ }, { "advisory": "vermin 0.4.11 Due to a security vulnerability in PyYAML <=3.13, it has been updated to 4.2b1.", - "cve": null, + "cve": "PVE-2021-36942", "id": "pyup.io-36942", "specs": [ "<0.4.11" @@ -18922,7 +28912,7 @@ }, { "advisory": "vermin 0.4.8 updates `requests` to 2.20.0 to avoid security vulnerability in <=2.19.1", - "cve": null, + "cve": "PVE-2021-36603", "id": "pyup.io-36603", "specs": [ "<0.4.8" @@ -18931,7 +28921,7 @@ }, { "advisory": "vermin 0.4.9 updates a security vulnerability in `urllib3` <1.23. It has been updated to 1.24.1. `requests` has been updates to 2.20.0 in v0.4.8.", - "cve": null, + "cve": "PVE-2021-36725", "id": "pyup.io-36725", "specs": [ "<0.4.9" @@ -18939,7 +28929,7 @@ "v": "<0.4.9" }, { - "advisory": "Vermin 0.5.0 upgrades urllib3 to version 1.24.2 due to a security vulnerability. See CVE-2019-11324.", + "advisory": "Vermin 0.5.0 includes a fix for CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.", "cve": "CVE-2019-11324", "id": "pyup.io-37094", "specs": [ @@ -18948,10 +28938,21 @@ "v": "<0.5.0" } ], + "vineyard": [ + { + "advisory": "Vineyard 0.1.2 includes an update that ensures avoiding being attacked by a invalid client.", + "cve": "PVE-2021-39346", + "id": "pyup.io-39346", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" + } + ], "vips-hash": [ { "advisory": "Vips-hash 0.2.0 sets `pycryptodomex` version to `>=3.6.6,<4` to fix a vulnerability.", - "cve": null, + "cve": "PVE-2021-37354", "id": "pyup.io-37354", "specs": [ "<0.2.0" @@ -18972,7 +28973,7 @@ ], "virustotal-python": [ { - "advisory": "Virustotal-python 0.0.3 updates urllib3 to 1.24.2 for security reasons. See CVE-2019-11236.", + "advisory": "Virustotal-python 0.0.3 includes a fix for CVE-2019-11236: In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.", "cve": "CVE-2019-11236", "id": "pyup.io-37078", "specs": [ @@ -18982,7 +28983,7 @@ }, { "advisory": "Virustotal-python 0.0.8 bumps dependencies to address security issues", - "cve": null, + "cve": "PVE-2021-37960", "id": "pyup.io-37960", "specs": [ "<0.0.8" @@ -18991,18 +28992,27 @@ }, { "advisory": "Virustotal-python 0.0.9 includes updates of some dependencies due to security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-38227", "id": "pyup.io-38227", "specs": [ "<0.0.9" ], "v": "<0.0.9" + }, + { + "advisory": "Virustotal-python 0.1.2 updates the version of 'urllib3' to 1.26.4 to address a security vulnerability.", + "cve": "PVE-2021-40663", + "id": "pyup.io-40663", + "specs": [ + "<0.1.2" + ], + "v": "<0.1.2" } ], "visidata": [ { "advisory": "For security reasons, `.py` loader moved out of VisiData core version 2.-2 and into snippets.", - "cve": null, + "cve": "PVE-2021-38871", "id": "pyup.io-38871", "specs": [ "<2.-2" @@ -19010,10 +29020,21 @@ "v": "<2.-2" } ], + "vmsshgen": [ + { + "advisory": "Vmsshgen 1.0.0 includes the possibility to work with the password file (for slightly more security).", + "cve": "PVE-2021-39503", + "id": "pyup.io-39503", + "specs": [ + "<1.0.0" + ], + "v": "<1.0.0" + } + ], "vnccollab-theme": [ { "advisory": "Vnccollab-theme before 1.5.2 has an undisclosed vulnerability in VNC Zimlet.", - "cve": null, + "cve": "PVE-2021-35976", "id": "pyup.io-35976", "specs": [ "<1.5.2" @@ -19024,7 +29045,7 @@ "vnccollab.theme": [ { "advisory": "Vnccollab.theme before 1.5.2 has an undisclosed vulnerability in VNC Zimlet.", - "cve": null, + "cve": "PVE-2021-26173", "id": "pyup.io-26173", "specs": [ "<1.5.2" @@ -19035,7 +29056,7 @@ "vorta": [ { "advisory": "Vorta 0.6.21 includes a not further specified, small security improvement.", - "cve": null, + "cve": "PVE-2021-37332", "id": "pyup.io-37332", "specs": [ "<0.6.21" @@ -19044,6 +29065,17 @@ } ], "wagtail": [ + { + "advisory": "A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.", + "cve": "CVE-2021-32681", + "id": "pyup.io-40803", + "specs": [ + "<2.11.8", + ">=2.13rc1,<=2.13.1", + ">=2.12rc1,<=2.12.4" + ], + "v": "<2.11.8,>=2.13rc1,<=2.13.1,>=2.12rc1,<=2.12.4" + }, { "advisory": "Wagtail 2.7.2 fixes CVE-2020-11001, which allows a XSS attack via page revision comparison view.", "cve": "CVE-2020-11001", @@ -19072,6 +29104,16 @@ ], "v": "<2.7.4" }, + { + "advisory": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch). See CVE-2021-29434.", + "cve": "CVE-2021-29434", + "id": "pyup.io-40230", + "specs": [ + ">=2.11a1,<2.11.7", + ">=2.12a1,<2.12.4" + ], + "v": ">=2.11a1,<2.11.7,>=2.12a1,<2.12.4" + }, { "advisory": "Wagtail 2.7.2 fixes CVE-2020-11001, which allows a XSS attack via page revision comparison view.", "cve": "CVE-2020-11001", @@ -19081,6 +29123,15 @@ ], "v": ">=2.8,<2.8.1" }, + { + "advisory": "Wagtail 2.9.3 includes a fix for CVE-2020-15118 to prevent HTML injection through the form field help text.", + "cve": "CVE-2020-15118", + "id": "pyup.io-38921", + "specs": [ + ">=2.9.0,<2.9.3" + ], + "v": ">=2.9.0,<2.9.3" + }, { "advisory": "In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.4 (for the LTS 2.7 branch) and Wagtail 2.9.3 (for the current 2.9 branch). In these versions, help text will be escaped to prevent the inclusion of HTML tags. Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True in their configuration settings. Site owners who are unable to upgrade to the new versions can secure their form page templates by rendering forms field-by-field as per Django's documentation, but omitting the |safe filter when outputting the help text. See: CVE-2020-15118.", "cve": "CVE-2020-15118", @@ -19095,7 +29146,7 @@ "wagtail-2fa": [ { "advisory": "Wagtail-2fa 1.1.0 requires the user to enter their password when creating a new token. This is done based on feedback of a security test by an external company.", - "cve": null, + "cve": "PVE-2021-37614", "id": "pyup.io-37614", "specs": [ "<1.1.0" @@ -19104,7 +29155,7 @@ }, { "advisory": "wagtail-2fa 1.4.1 resolve a possible vulnerability where users could delete other users' 2FA devices", - "cve": null, + "cve": "PVE-2021-37860", "id": "pyup.io-37860", "specs": [ "<1.4.1" @@ -19115,7 +29166,7 @@ "waitress": [ { "advisory": "Waitress 0.9.0 adds in checking for line feed/carriage return HTTP Response Splitting in the status line, as well as\r\n the key of a header. See https://github.com/Pylons/waitress/pull/124 and https://github.com/Pylons/waitress/issues/122.", - "cve": null, + "cve": "PVE-2021-36764", "id": "pyup.io-36764", "specs": [ "<0.9.0" @@ -19124,7 +29175,7 @@ }, { "advisory": "Waitress before 1.0.0 drops HTTP headers that contain an underscore in the key when received from a client. This is to stop any possible underscore/dash conflation that may lead to security issues. See: https://github.com/Pylons/waitress/pull/80 and https://www.djangoproject.com/weblog/2015/jan/13/security/", - "cve": null, + "cve": "PVE-2021-26174", "id": "pyup.io-26174", "specs": [ "<1.0.0" @@ -19133,7 +29184,7 @@ }, { "advisory": "waitress 1.2.0b1 provides a new security feature when using Waitress behind a proxy in that it is possible to remove untrusted proxy headers thereby making sure that downstream WSGI applications don't accidentally use those proxy headers to make security decisions", - "cve": null, + "cve": "PVE-2021-26390", "id": "pyup.io-26390", "specs": [ "<1.2.0b1" @@ -19141,8 +29192,17 @@ "v": "<1.2.0b1" }, { - "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\nCVE-ID: CVE-2019-16785\r\nCVE-ID: CVE-2019-16786", - "cve": "CVE-2019-16785, CVE-2019-16786", + "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\nCVE-ID: CVE-2019-16786", + "cve": "CVE-2019-16786", + "id": "pyup.io-39556", + "specs": [ + "<1.4.0" + ], + "v": "<1.4.0" + }, + { + "advisory": "Waitress 1.4.0 addresses an issue in which a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR, (although the line terminator for the start-line and header fields is the sequence CRLF).\r\n\r\nSee\r\nhttps://blog.zeddyu.info/2019/12/08/HTTP-Smuggling-en/\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p\r\nhttps://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6\r\n\r\nSee: CVE-2019-16785", + "cve": "CVE-2019-16785", "id": "pyup.io-37822", "specs": [ "<1.4.0" @@ -19169,7 +29229,7 @@ }, { "advisory": "waitress 1.4.3 fixes a regular expression function (introduced in 1.4.2 to make sure that it matches RFC7230) that led to catastrophic backtracking which allows for a Denial of Service and CPU usage going to a 100% - see https://github.com/Pylons/waitress/security/advisories/GHSA-73m2-3pwg-5fgc", - "cve": null, + "cve": "PVE-2021-37667", "id": "pyup.io-37667", "specs": [ "<1.4.3" @@ -19180,7 +29240,7 @@ "wandb": [ { "advisory": "Socket in wandb 0.8.0 only binds to localhost for improved security and prevents firewall warnings in OSX.", - "cve": null, + "cve": "PVE-2021-37149", "id": "pyup.io-37149", "specs": [ "<0.8.0" @@ -19197,10 +29257,21 @@ "v": "<0.8.2" } ], + "warfit-learn": [ + { + "advisory": "Warfit-learn 0.2 includes minor security improvements for dependencies.", + "cve": "PVE-2021-39213", + "id": "pyup.io-39213", + "specs": [ + "<0.2" + ], + "v": "<0.2" + } + ], "wasmer": [ { "advisory": "Wasmer 0.2.1 updates the hashing algorithm for caching to be crypto-secure.", - "cve": null, + "cve": "PVE-2021-37044", "id": "pyup.io-37044", "specs": [ "<0.2.1" @@ -19208,10 +29279,21 @@ "v": "<0.2.1" } ], + "wasmtime": [ + { + "advisory": "Wasmtime 0.27.0 fixes a security issue in Cranelift's x64 backend that could result in a heap sandbox escape due to an incorrect sign-extension.", + "cve": "PVE-2021-40530", + "id": "pyup.io-40530", + "specs": [ + "<0.27.0" + ], + "v": "<0.27.0" + } + ], "watchmaker": [ { "advisory": "watchmaker 0.14.0 implements additional Salt states to address security scan issues", - "cve": null, + "cve": "PVE-2021-36948", "id": "pyup.io-36948", "specs": [ "<0.14.0" @@ -19222,7 +29304,7 @@ "web-py": [ { "advisory": "Web-py 0.21 prevents bad characters in headers. This is a security fix.", - "cve": null, + "cve": "PVE-2021-38615", "id": "pyup.io-38615", "specs": [ "<0.21" @@ -19231,7 +29313,7 @@ }, { "advisory": "Web-py before 0.23 did not support secure cookies.", - "cve": null, + "cve": "PVE-2021-38614", "id": "pyup.io-38614", "specs": [ "<0.23" @@ -19240,7 +29322,7 @@ }, { "advisory": "Web-py 0.36 adds the `secure` option to a session.", - "cve": null, + "cve": "PVE-2021-38613", "id": "pyup.io-38613", "specs": [ "<0.36" @@ -19249,7 +29331,7 @@ }, { "advisory": "Web-py 0.39 fixes a security issue with the form module. Additionally, it fixes a security issue with the db module.", - "cve": null, + "cve": "PVE-2021-38612", "id": "pyup.io-38612", "specs": [ "<0.39" @@ -19260,7 +29342,7 @@ "web.py": [ { "advisory": "web.py 0.39 fixes a security issue in the form module and the db module.", - "cve": null, + "cve": "PVE-2021-35782", "id": "pyup.io-35782", "specs": [ "<0.39" @@ -19271,7 +29353,7 @@ "web3": [ { "advisory": "Web3 version 1.2.7 upgrades swarm-js to 0.1.40 to remove an npm vulnerability warning. It also upgrades devDeps to resolve security warnings:\r\n- dtslint 0.4.2 => 3.4.1\r\n- definitelytyped-header-parser 1.0.1 => 3.9.0", - "cve": null, + "cve": "PVE-2021-38214", "id": "pyup.io-38214", "specs": [ "<1.2.7" @@ -19280,16 +29362,34 @@ }, { "advisory": "Web3 1.3.1 fixes some vulnerable dependencies.", - "cve": null, + "cve": "PVE-2021-39123", "id": "pyup.io-39123", "specs": [ "<1.3.1" ], "v": "<1.3.1" }, + { + "advisory": "Web3 1.3.3 ran 'npm audit fix' which fixed 4 vulnerabilities.", + "cve": "PVE-2021-39471", + "id": "pyup.io-39471", + "specs": [ + "<1.3.3" + ], + "v": "<1.3.3" + }, + { + "advisory": "Web3 1.3.4 includes fixes for 4 vulnerabilities.", + "cve": "PVE-2021-39656", + "id": "pyup.io-39656", + "specs": [ + "<1.3.4" + ], + "v": "<1.3.4" + }, { "advisory": "web3 4.7.0 upgrades eth-hash to 0.2.0 with pycryptodome 3.6.6 which resolves a vulnerability.", - "cve": null, + "cve": "PVE-2021-36480", "id": "pyup.io-36480", "specs": [ "<4.7.0" @@ -19326,10 +29426,32 @@ "v": ">=6.0.0b1,<=6.0.0b4" } ], + "webauthn-rp": [ + { + "advisory": "Webauthn-rp 0.0.10 updates dependencies to mitigate a potential vulnerability. See .", + "cve": "PVE-2021-40260", + "id": "pyup.io-40260", + "specs": [ + "<0.0.10" + ], + "v": "<0.0.10" + } + ], + "webchanges": [ + { + "advisory": "Webchanges 3.7.0 and 3.7.1 introduce a new 'execute' filter to filter the data using an executable without invoking the shell (as 'shellpipe' does) and therefore exposing to additional security risks. Versions 3.7.0 and 3.7.1 also strengthen the security with 'bandit' to catch common security issues.", + "cve": "PVE-2021-40868", + "id": "pyup.io-40868", + "specs": [ + "<3.7.0" + ], + "v": "<3.7.0" + } + ], "webp": [ { "advisory": "Webp 1.0.1 adds further security related hardening in libwebp & libwebpmux.", - "cve": null, + "cve": "PVE-2021-36726", "id": "pyup.io-36726", "specs": [ "<0.1.2" @@ -19340,7 +29462,7 @@ "webscrapbook": [ { "advisory": "Webscrapbook 0.20.0 added content security policy restriction for served web pages. They can no longer send AJAX requests and form actions to prevent a potential attack. A config `app.content_security_policy` is added to change the behavior.", - "cve": null, + "cve": "PVE-2021-38854", "id": "pyup.io-38854", "specs": [ "<0.20.0" @@ -19349,23 +29471,41 @@ }, { "advisory": "Webscrapbook 0.27.0 dropped support of JavaScript when viewing a page archive, due to a security concern.", - "cve": null, + "cve": "PVE-2021-38853", "id": "pyup.io-38853", "specs": [ "<0.27.0" ], "v": "<0.27.0" + }, + { + "advisory": "Webscrapbook 0.39.0 fixes a security issue that may allow the user to access any directory on Windows.", + "cve": "PVE-2021-40219", + "id": "pyup.io-40219", + "specs": [ + "<0.39.0" + ], + "v": "<0.39.0" } ], "websockets": [ { "advisory": "websockets 5.0 fixes a denial of service by memory exhaustion vulnerability.\r\n\r\n**Version 5.0 adds a** ``user_info`` **field to the return value of**\r\n :func:`~uri.parse_uri` **and** :class:`~uri.WebSocketURI` **.**\r\n\r\n If you're unpacking :class:`~websockets.WebSocketURI` into four variables,\r\n adjust your code to account for that fifth field.", - "cve": null, + "cve": "PVE-2021-36234", "id": "pyup.io-36234", "specs": [ "<5.0,>=4.0.0" ], "v": "<5.0,>=4.0.0" + }, + { + "advisory": "The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.", + "cve": "CVE-2021-33880", + "id": "pyup.io-40622", + "specs": [ + "<9.1" + ], + "v": "<9.1" } ], "werkzeug": [ @@ -19389,7 +29529,7 @@ }, { "advisory": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.", - "cve": null, + "cve": "PVE-2021-26435", "id": "pyup.io-26435", "specs": [ "<0.12" @@ -19398,7 +29538,7 @@ }, { "advisory": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.", - "cve": null, + "cve": "PVE-2021-36967", "id": "pyup.io-36967", "specs": [ "<0.15.0" @@ -19407,7 +29547,7 @@ }, { "advisory": "Werkzeug 0.3.1 fixes a security problem with `werkzeug.contrib.SecureCookie`.", - "cve": null, + "cve": "PVE-2021-26428", "id": "pyup.io-26428", "specs": [ "<0.3.1" @@ -19416,7 +29556,7 @@ }, { "advisory": "Werkzeug 0.6.1 adds secure password hashing and checking functions.", - "cve": null, + "cve": "PVE-2021-26437", "id": "pyup.io-26437", "specs": [ "<0.6.1" @@ -19425,7 +29565,7 @@ }, { "advisory": "werkzeug before 0.8 allowed newlines in the header datastructure, allowing header injection attacks.", - "cve": null, + "cve": "PVE-2021-26175", "id": "pyup.io-26175", "specs": [ "<0.8" @@ -19434,7 +29574,7 @@ }, { "advisory": "Werkzeug 0.8.3 fixes an XSS problem with redirect targets coming from untrusted sources.", - "cve": null, + "cve": "PVE-2021-26427", "id": "pyup.io-26427", "specs": [ "<0.8.3" @@ -19443,7 +29583,7 @@ }, { "advisory": ":class:`~exceptions.BadRequestKeyError` in werkzeug 0.15.5 adds the ``KeyError`` message to the description if ``e.show_exception`` is set to ``True``. This is a more secure default than the original 0.15.0 behavior and makes it easier to control without losing information.", - "cve": null, + "cve": "PVE-2021-37276", "id": "pyup.io-37276", "specs": [ ">=0.15.0,<0.15.5" @@ -19451,10 +29591,21 @@ "v": ">=0.15.0,<0.15.5" } ], + "whispers": [ + { + "advisory": "Whispers 1.3.9 includes a fix for CVE-2020-27783: A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.", + "cve": "CVE-2020-27783", + "id": "pyup.io-39466", + "specs": [ + "<1.3.9" + ], + "v": "<1.3.9" + } + ], "whitenoise": [ { "advisory": "whitenoise 4.1.3 change: Fix potential path traversal attack while running in autorefresh mode on\r\n Windows", - "cve": null, + "cve": "PVE-2021-37275", "id": "pyup.io-37275", "specs": [ "<4.1.3" @@ -19462,10 +29613,21 @@ "v": "<4.1.3" } ], + "wikirepo": [ + { + "advisory": "Wikirepo 0.1.1.5 includes fixes to vulnerabilities through exception use.", + "cve": "PVE-2021-40303", + "id": "pyup.io-40303", + "specs": [ + "<0.1.1.5" + ], + "v": "<0.1.1.5" + } + ], "will": [ { "advisory": "will before 0.5.4 uses a insecure transitive dependency (bottle).", - "cve": null, + "cve": "PVE-2021-35046", "id": "pyup.io-35046", "specs": [ "<0.5.4" @@ -19473,10 +29635,32 @@ "v": "<0.5.4" } ], + "wiperf-poller": [ + { + "advisory": "Wiperf-poller before 0.18 improves route issues detection and applies fixes to prevent malicious route injection.", + "cve": "PVE-2021-39431", + "id": "pyup.io-39431", + "specs": [ + "<0.1.8" + ], + "v": "<0.1.8" + } + ], + "wirecloud-keycloak": [ + { + "advisory": "Wirecloud-keycloak 0.3.4 fixes auth token injection when using WireCloud's proxy.", + "cve": "PVE-2021-40905", + "id": "pyup.io-40905", + "specs": [ + "<0.3.4" + ], + "v": "<0.3.4" + } + ], "wirepas-backend-client": [ { "advisory": "Wirepas-backend-client 1.2.0rc2 hides credentials when printing to stdout - see https://github.com/wirepas/backend-client/issues/48", - "cve": null, + "cve": "PVE-2021-37522", "id": "pyup.io-37522", "specs": [ "<1.2.0rc2" @@ -19487,7 +29671,7 @@ "wordops": [ { "advisory": "The hsts flag in wordops before 1.16.0 on site was not secure with letsencrypt.", - "cve": null, + "cve": "PVE-2021-37541", "id": "pyup.io-37541", "specs": [ "<1.16.0" @@ -19496,7 +29680,7 @@ }, { "advisory": "Wordops 3.9.6 adds fail2ban with custom jails to secure WordPress & SSH.", - "cve": null, + "cve": "PVE-2021-37540", "id": "pyup.io-37540", "specs": [ "<3.9.6" @@ -19505,7 +29689,7 @@ }, { "advisory": "Wordops 3.9.7 secures the proftpd stack with TLS.", - "cve": null, + "cve": "PVE-2021-37539", "id": "pyup.io-37539", "specs": [ "<3.9.7" @@ -19514,7 +29698,7 @@ }, { "advisory": "Wordops 3.9.9 adds `wo secure --ssh` to harden ssh security.", - "cve": null, + "cve": "PVE-2021-37534", "id": "pyup.io-37534", "specs": [ "<3.9.9" @@ -19523,7 +29707,7 @@ }, { "advisory": "Wordops 3.9.9.1 improves the sshd_config template according to Mozilla Infosec guidelines.", - "cve": null, + "cve": "PVE-2021-37533", "id": "pyup.io-37533", "specs": [ "<3.9.9.1" @@ -19534,7 +29718,7 @@ "wpull": [ { "advisory": "wpull before 0.1006.1 is leaking HTTP header fields when transitioning from HTTP to HTTPS.", - "cve": null, + "cve": "PVE-2021-26176", "id": "pyup.io-26176", "specs": [ "<0.1006.1" @@ -19565,7 +29749,7 @@ "xmlschema-acue": [ { "advisory": "Xmlschema-acue 0.9.27:\r\n- Adds support for preventing XML attacks with the use of the *defusedxml* package (added *defuse* argument to schemas)\r\n- Fixes the group circularity (issue 58)\r\n- Fixes the billion laughs attacks using XSD groups expansion", - "cve": null, + "cve": "PVE-2021-37716", "id": "pyup.io-37716", "specs": [ "<0.9.27" @@ -19576,7 +29760,7 @@ "xontrib-output-search": [ { "advisory": "Xontrib-output-search 0.0.2 no longer uses `XONSH_STORE_STDOUT`. Now, the output is stored only for last not empty command and in memory. This is a more secure solution.", - "cve": null, + "cve": "PVE-2021-38310", "id": "pyup.io-38310", "specs": [ "<0.0.2" @@ -19584,10 +29768,68 @@ "v": "<0.0.2" } ], + "xpra": [ + { + "advisory": "Xpra 0.0.7.34 restricts access to the 'run-xpra' script (chmod) and fixes a problem when cursor data sent to the client was too big (exposing server memory).", + "cve": "PVE-2021-40248", + "id": "pyup.io-40248", + "specs": [ + "<0.0.7.34" + ], + "v": "<0.0.7.34" + }, + { + "advisory": "Xpra 0.1.0 includes a security patch for strict filtering of packet handlers until a connection is authenticated.", + "cve": "PVE-2021-40247", + "id": "pyup.io-40247", + "specs": [ + "<0.1.0" + ], + "v": "<0.1.0" + }, + { + "advisory": "Xpra 0.13.9 uses the secure \"compare_digest\" if available.", + "cve": "PVE-2021-40245", + "id": "pyup.io-40245", + "specs": [ + "<0.13.9" + ], + "v": "<0.13.9" + }, + { + "advisory": "Xpra 0.15.8 fixes validation of the 'mmap' security token.", + "cve": "PVE-2021-40244", + "id": "pyup.io-40244", + "specs": [ + "<0.15.8" + ], + "v": "<0.15.8" + }, + { + "advisory": "Xpra 2.3 adds custom http headers to support the content security policy.", + "cve": "PVE-2021-40242", + "id": "pyup.io-40242", + "specs": [ + "<2.3" + ], + "v": "<2.3" + } + ], + "xscrapers": [ + { + "advisory": "Xscrapers 127.0.0.150077", + "cve": "PVE-2021-39640", + "id": "pyup.io-39640", + "specs": [ + "<127.0.0.150077" + ], + "v": "<127.0.0.150077" + } + ], "xtea3": [ { "advisory": "xtea3 1.0.0 change: Removal of CBCMAC (security reasons)", - "cve": null, + "cve": "PVE-2021-37222", "id": "pyup.io-37222", "specs": [ "<1.0.0" @@ -19598,7 +29840,7 @@ "xuper": [ { "advisory": "xuper 3.2.0 validates autogen tx to avoid fake transaction attack; Fix UTXO with negative frozen heigh could pass transaction check; Check the number of coinbase transactions in a block to avoid byzantine miner;", - "cve": null, + "cve": "PVE-2021-37718", "id": "pyup.io-37718", "specs": [ "<3.2.0" @@ -19609,7 +29851,7 @@ "yahoo-earnings-calendar": [ { "advisory": "yahoo-earnings-calendar 0.4.0 - fix(security): upgrade requests (14)", - "cve": null, + "cve": "PVE-2021-36697", "id": "pyup.io-36697", "specs": [ "<0.4.0" @@ -19618,7 +29860,7 @@ }, { "advisory": "Yahoo-earnings-calendar 0.5.2 upgrades urllib3 to 1.24.2 for security reasons.", - "cve": null, + "cve": "PVE-2021-37079", "id": "pyup.io-37079", "specs": [ "<0.5.2" @@ -19629,7 +29871,7 @@ "yasha": [ { "advisory": "yasha before 4.0 is parsing JSON without using the 'safe_load' function.", - "cve": null, + "cve": "PVE-2021-35004", "id": "pyup.io-35004", "specs": [ "<4.0" @@ -19640,7 +29882,7 @@ "yaybu": [ { "advisory": "yaybu before 0.1.14 doesn't set file system permissions before content is written.", - "cve": null, + "cve": "PVE-2021-26177", "id": "pyup.io-26177", "specs": [ "<0.1.14" @@ -19651,7 +29893,7 @@ "yorm": [ { "advisory": "yorm 1.6.1 updates `PyYAML` to `5.1` for security fixes.", - "cve": null, + "cve": "PVE-2021-36983", "id": "pyup.io-36983", "specs": [ "<1.6.1" @@ -19662,7 +29904,7 @@ "yubiauth": [ { "advisory": "yubiauth before 0.2.3 is updating credentials in an insecure way.", - "cve": null, + "cve": "PVE-2021-26178", "id": "pyup.io-26178", "specs": [ "<0.2.3" @@ -19673,7 +29915,7 @@ "z3c.form": [ { "advisory": "z3c.form before 2.4.2 has a security vulnerability in IBrowserRequest from IFormLayer. This prevents to mixin IBrowserRequest into non IBrowserRequest e.g. IJSONRPCRequest. This should be compatible since a browser request using z3c.form already provides IBrowserRequest and the IFormLayer is only a marker interface used as skin layer.", - "cve": null, + "cve": "PVE-2021-26179", "id": "pyup.io-26179", "specs": [ "<2.4.2" @@ -19684,7 +29926,7 @@ "zeep": [ { "advisory": "zeep before 0.4.0 is using an insecure XML parser.", - "cve": null, + "cve": "PVE-2021-26180", "id": "pyup.io-26180", "specs": [ "<0.4.0" @@ -19714,10 +29956,21 @@ "v": "<0.21.0" } ], + "zigpy-znp": [ + { + "advisory": "CC2531 coordinators running Z-Stack Home 1.2 firmware in zigpy-znp before version 0.3.0 erroneously permit joins on startup, even after being reset. Joins are now explicitly disabled every time the coordinator is started. See: .", + "cve": "PVE-2021-39245", + "id": "pyup.io-39245", + "specs": [ + "<0.3.0" + ], + "v": "<0.3.0" + } + ], "ziirish": [ { "advisory": "ziirish before 0.0.7.1 has some undisclosed security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-26181", "id": "pyup.io-26181", "specs": [ "<0.0.7.1" @@ -19726,7 +29979,7 @@ }, { "advisory": "ziirish before 0.1.0 has some undisclosed security vulnerabilities.", - "cve": null, + "cve": "PVE-2021-26182", "id": "pyup.io-26182", "specs": [ "<0.1.0" @@ -19735,7 +29988,7 @@ }, { "advisory": "ziirish before 0.3.0 doesn't restrict files that can be sent by the agent.", - "cve": null, + "cve": "PVE-2021-26183", "id": "pyup.io-26183", "specs": [ "<0.3.0" @@ -19783,6 +30036,15 @@ } ], "zope": [ + { + "advisory": "Zope 2.13.1 restores security declarations for deprecated 'sets' module.", + "cve": "PVE-2021-41055", + "id": "pyup.io-41055", + "specs": [ + "<2.13.1" + ], + "v": "<2.13.1" + }, { "advisory": "Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).", "cve": "CVE-2012-6661", @@ -19793,14 +30055,51 @@ "v": "<2.13.19" }, { - "advisory": "Zope 3.9.0 fixes CVE-2009-2701 and CVE-2009-0668 and CVE-2009-0669.", - "cve": "CVE-2009-2701, CVE-2009-0668, CVE-2009-0669", + "advisory": "Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS.", + "cve": "CVE-2021-33507", + "id": "pyup.io-40532", + "specs": [ + "<2.5.1" + ], + "v": "<2.5.1" + }, + { + "advisory": "Zope 3.9.0 fixes CVE-2009-0669.", + "cve": "CVE-2009-0669", + "id": "pyup.io-39554", + "specs": [ + "<3.9.0" + ], + "v": "<3.9.0" + }, + { + "advisory": "Zope 3.9.0 fixes CVE-2009-2701.", + "cve": "CVE-2009-2701", "id": "pyup.io-36590", "specs": [ "<3.9.0" ], "v": "<3.9.0" }, + { + "advisory": "Zope 3.9.0 fixes CVE-2009-0668.", + "cve": "CVE-2009-0668", + "id": "pyup.io-39555", + "specs": [ + "<3.9.0" + ], + "v": "<3.9.0" + }, + { + "advisory": "Zope 4.6 and 5.2 includes a fix for CVE-2021-32633: Zope is an open-source web application server. In Zope versions prior to 4.6 and 5.2, users can access untrusted modules indirectly through Python modules that are available for direct use. By default, only users with the Manager role can add or edit Zope Page Templates through the web, but sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk from this vulnerability. The problem has been fixed in Zope 5.2 and 4.6. As a workaround, a site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.", + "cve": "CVE-2021-32633", + "id": "pyup.io-40531", + "specs": [ + "<4.6.0", + ">=5.0a1,<5.2" + ], + "v": "<4.6.0,>=5.0a1,<5.2" + }, { "advisory": "CVE-2011-4924: Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3, 3.1.1 through 3.4.1. allows remote attackers to inject arbitrary web script or HTML via vectors related to the way error messages perform sanitization. NOTE: this issue exists because of an incomplete fix for CVE-2010-1104.", "cve": "CVE-2011-4924", @@ -19814,11 +30113,30 @@ ">=3.1.1,<=3.4.1" ], "v": ">=2.8,<2.8.12,>=2.9,<2.9.12,>=2.10,<2.10.11,>=2.11,<2.11.6,>=2.12,<2.12.3,>=3.1.1,<=3.4.1" + }, + { + "advisory": "Zope 5.3 updates the 'AccessControl' version pin to fix a remote code execution issue (CVE-2021-32807).", + "cve": "CVE-2021-32807", + "id": "pyup.io-41051", + "specs": [ + ">=5.0.0,<5.3.0" + ], + "v": ">=5.0.0,<5.3.0" + }, + { + "advisory": "Most Python modules are not available for using in TAL expressions that you can add through-the-web, for example in Zope Page Templates. This restriction avoids file system access, for example via the 'os' module. But some of the untrusted modules are available indirectly through Python modules that are available for direct use. By default, you need to have the Manager role to add or edit Zope Page Templates through the web. Only sites that allow untrusted users to add/edit Zope Page Templates through the web are at risk. The problem has been fixed in Zope 5.21 and 4.6.1. The workaround is the same as for https://github.com/zopefoundation/Zope/security/advisories/GHSA-5pr9-v234-jw36: A site administrator can restrict adding/editing Zope Page Templates through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing Zope Page Templates through the web should be restricted to trusted users only.", + "cve": "CVE-2021-32674", + "id": "pyup.io-40636", + "specs": [ + ">=5.0.0a1,<5.21.0", + ">=4.0.0a1,<4.6.1" + ], + "v": ">=5.0.0a1,<5.21.0,>=4.0.0a1,<4.6.1" } ], "zope.html": [ { - "advisory": "Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.", + "advisory": "Zope.html 1.2 includes a fix for CVE-2009-2265: Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.", "cve": "CVE-2009-2265", "id": "pyup.io-26190", "specs": [ @@ -19900,7 +30218,7 @@ "zopeskel": [ { "advisory": "zopeskel before <2.11 uses an insecure transitive dependency (Zope before 2.9.10).", - "cve": null, + "cve": "PVE-2021-26198", "id": "pyup.io-26198", "specs": [ "<2.11" @@ -19911,7 +30229,7 @@ "zsl": [ { "advisory": "zsl 0.22.0 upgrade to newest Flask and removes vulnerable dependencies", - "cve": null, + "cve": "PVE-2021-37856", "id": "pyup.io-37856", "specs": [ "<0.22.0" @@ -19921,8 +30239,17 @@ ], "zulip": [ { - "advisory": "Zulip 1.5.2:\r\n- CVE-2017-0896: Restricting inviting new users to admins was broken.\r\n- CVE-2015-8861: Insecure old version of handlebars templating engine.", - "cve": "CVE-2017-0896,CVE-2015-8861", + "advisory": "Zulip 1.5.2:\r\n- CVE-2015-8861: Insecure old version of handlebars templating engine.", + "cve": "CVE-2015-8861", + "id": "pyup.io-39553", + "specs": [ + "<1.5.2" + ], + "v": "<1.5.2" + }, + { + "advisory": "Zulip 1.5.2:\r\n- CVE-2017-0896: Restricting inviting new users to admins was broken.", + "cve": "CVE-2017-0896", "id": "pyup.io-35007", "specs": [ "<1.5.2" @@ -19931,7 +30258,7 @@ }, { "advisory": "Zulip 1.6.0 adds security hardening before serving uploaded files. It also refactors various endpoints to use a single code path for security hardening.", - "cve": null, + "cve": "PVE-2021-35006", "id": "pyup.io-35006", "specs": [ "<1.6.0" @@ -19940,7 +30267,7 @@ }, { "advisory": "Zulip 1.7.0 adds a new \"incoming webhook\" bot type, limited to only sending messages into Zulip, for better security.", - "cve": null, + "cve": "PVE-2021-35078", "id": "pyup.io-35078", "specs": [ "<1.7.0" @@ -19957,17 +30284,44 @@ "v": "<1.7.1" }, { - "advisory": "Zulip 1.7.2 is a security release, with a handful of cherry-picked changes since 1.7.1.\r\n- CVE-2018-9986: Fix XSS issues with frontend markdown processor.\r\n- CVE-2018-9987: Fix XSS issue with muting notifications.\r\n- CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.\r\n- CVE-2018-9999: Fix XSS issue with user uploads. The fix for this adds a Content-Security-Policy for the `LOCAL_UPLOADS_DIR` storage backend for user-uploaded files.", - "cve": "CVE-2018-9986,CVE-2018-9987,CVE-2018-9990,CVE-2018-9999", + "advisory": "Zulip 1.7.2 is a security release, with a handful of cherry-picked changes since 1.7.1.\r\n- CVE-2018-9986: Fix XSS issues with frontend markdown processor.", + "cve": "CVE-2018-9986", "id": "pyup.io-36168", "specs": [ "<1.7.2" ], "v": "<1.7.2" }, + { + "advisory": "Zulip 1.7.2 is a security release, with changes since 1.7.1.\r\n- CVE-2018-9987: Fix XSS issue with muting notifications.", + "cve": "CVE-2018-9987", + "id": "pyup.io-39552", + "specs": [ + "<1.7.2" + ], + "v": "<1.7.2" + }, + { + "advisory": "Zulip 1.7.2 is a security release, with changes since 1.7.1.\r\n- CVE-2018-9999: Fix XSS issue with user uploads. The fix for this adds a Content-Security-Policy for the `LOCAL_UPLOADS_DIR` storage backend for user-uploaded files.", + "cve": "CVE-2018-9999", + "id": "pyup.io-39550", + "specs": [ + "<1.7.2" + ], + "v": "<1.7.2" + }, + { + "advisory": "Zulip 1.7.2 is a security release, with changes since 1.7.1.\r\n- CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.", + "cve": "CVE-2018-9990", + "id": "pyup.io-39551", + "specs": [ + "<1.7.2" + ], + "v": "<1.7.2" + }, { "advisory": "Zulip 1.8.0 includes several important security fixes since 1.7.0, which were released already in 1.7.1 and 1.7.2.\r\n- The security model for private streams has changed. Now organization administrators can remove users, edit descriptions, and rename private streams they are not subscribed to. See Zulip's security model documentation for details.\r\n- On Xenial, the local uploads backend now does the same security checks that the S3 backend did before serving files to users. Ubuntu Trusty's version of nginx is too old to support this and so the legacy model is the default; we recommend upgrading.", - "cve": null, + "cve": "PVE-2021-36187", "id": "pyup.io-36187", "specs": [ "<1.8.0" @@ -19975,14 +30329,23 @@ "v": "<1.8.0" }, { - "advisory": "Zulip 2.0.5 fixes DoS vulnerability in Markdown LINK_RE (CVE-2019-16215). It also fixes MIME type validation (CVE-2019-16216).", - "cve": "CVE-2019-16215,CVE-2019-16216", + "advisory": "Zulip 2.0.5 fixes DoS vulnerability in Markdown LINK_RE (CVE-2019-16215).", + "cve": "CVE-2019-16215", "id": "pyup.io-38117", "specs": [ "<2.0.5" ], "v": "<2.0.5" }, + { + "advisory": "Zulip 2.0.5 fixes MIME type validation (CVE-2019-16216).", + "cve": "CVE-2019-16216", + "id": "pyup.io-39549", + "specs": [ + "<2.0.5" + ], + "v": "<2.0.5" + }, { "advisory": "Zulip 2.0.7 inlcudes a fix for insecure account creation via social authentication - see CVE-2019-18933. It also adds backend enforcement of zxcvbn password strength checks.", "cve": "CVE-2019-18933", @@ -20003,7 +30366,7 @@ }, { "advisory": "Zulip 2.1.0 improves default nginx TLS settings for stronger security.", - "cve": null, + "cve": "PVE-2021-38115", "id": "pyup.io-38115", "specs": [ "<2.1.0" @@ -20020,30 +30383,48 @@ "v": "<2.1.2" }, { - "advisory": "Zulip Server 2.1.3 includes fixes for:\r\n- CVE-2020-9444: Prevent reverse tabnapping attacks. \r\n- CVE-2020-9445: Remove unused and insecure modal_link feature. \r\n- CVE-2020-10935: Fix XSS vulnerability in local link rewriting.", - "cve": "CVE-2020-9444,CVE-2020-10935", + "advisory": "Zulip Server 2.1.3 includes a fix for:\r\n- CVE-2020-9444: Prevent reverse tabnapping attacks.", + "cve": "CVE-2020-9444", "id": "pyup.io-38200", "specs": [ "<2.1.3" ], "v": "<2.1.3" + }, + { + "advisory": "Zulip Server 2.1.3 includes a fix for:\r\n- CVE-2020-10935: Fix XSS vulnerability in local link rewriting.", + "cve": "CVE-2020-10935", + "id": "pyup.io-39548", + "specs": [ + "<2.1.3" + ], + "v": "<2.1.3" } ], "zulip-term": [ { "advisory": "Zulip-term 0.5.2 fixes a security issue due to limited quote escaping in notifications. Additionally, it fixes a security issue when running in profiling mode (fixed filename in /tmp).", - "cve": null, + "cve": "PVE-2021-38640", "id": "pyup.io-38640", "specs": [ "<0.5.2" ], "v": "<0.5.2" + }, + { + "advisory": "Zulip-term 0.6.0 includes a fix for a security issue (strongly recommended to upgrade immediately).", + "cve": "PVE-2021-39511", + "id": "pyup.io-39511", + "specs": [ + "<0.6.0" + ], + "v": "<0.6.0" } ], "zwiki": [ { "advisory": "zwiki before <0.37 has a cross-site scripting vulnerability in standard error messages.", - "cve": null, + "cve": "PVE-2021-26199", "id": "pyup.io-26199", "specs": [ "<0.37" @@ -20052,7 +30433,7 @@ }, { "advisory": "zwiki before <0.59 has a vulnerability in a comment form.", - "cve": null, + "cve": "PVE-2021-26200", "id": "pyup.io-26200", "specs": [ "<0.59"